Delta and other US airlines have apparently been issuing insecure online boarding passes that could be altered by changing the URL. Good news for savvy travelers who wanted an upgrade, bad news for everyone concerned about security.
The flaw was discovered by Dani Grant of Hackers of NY, who informed Delta that by changing a single digit in a URL, travelers could access others’ boarding passes, or even get passes for other flights. Delta replied with a standard-issue “We Hear You!” response, not seeming to understand the problem.
Although this was a random process and there was no control over which pass the URL tweaking would bring up – and airport security would doubtless catch up with you as soon as you attempted to board with the wrong pass – there is a wider information security issue: customers’ personal details, including their names and frequent flier numbers, were all potentially accessible online via one of the most basic and well-known flaws there is.
Delta has now fixed the problem, telling BuzzFeed:
“After a possible issue with our mobile boarding passes was discovered late Monday, our IT teams quickly put a solution in place this morning to prevent it from occurring.
“As our overall investigation of this issue continues, there has been no impact to flight safety, and at this time we are not aware of any compromised customer accounts.”
Meanwhile, according to information security expert Brian Krebs, Park-n-Fly, an online airport parking reservation service, has suffered a data breach, with numerous financial institutions reporting fraudulent transactions. Park-n-Fly is investigating, but so far has been “unable to find any specific issues related to the cards or transactions reported to us and by the financial institutions”.
For more guidance on information security, and how your organization can avoid incidents like these, please see our free ISO 27001 information pages. ISO 27001 is the international standard for information security management, which provides best-practice requirements for an enterprise-wide information security management system (ISMS) that addresses people, processes, and technology to help secure your organization’s information. Click for more details >>