British Airways exposes personal and flight information of passengers due to flaw in e-ticketing system


The flaw exposed personal information as well as the flight itinerary of passengers through unencrypted check-in URLs.
Anyone on the same network as a passenger accessing their check-in link could snoop on their information.

Security researchers from Wandera discovered a security flaw in the e-ticketing system of British Airways. This flaw could potentially lead to exposure of passenger data, including their flight details and personal information.


What happened?


The researchers found that the flight check-in links sent to passengers by British Airways via email were unencrypted. This opens the door for an attack that could expose the passengers’ booking reference numbers, phone numbers, email addresses, and more.


“In an effort to streamline the user experience, passenger details are included in the URL parameters that direct the passenger from the email to the British Airways website where they are logged in automatically so they can view their itinerary and check-in for their flight,” wrote the Wandera researchers in a blog post.


“The passenger details included in the URL parameters are the booking reference and surname, both of which are exposed because the link is unencrypted,” added the researchers.


Due to the lack of encryption, someone on the same network can easily snoop such requests to view information about the passengers or even alter their booking information.


What information was exposed?


The exposed information includes passengers’ names, email addresses, phone numbers, membership numbers, booking reference numbers, itineraries, flight numbers, flight times, and seat numbers.


Worth noting


The researchers discovered this flaw in July 2019 and soon informed the airline about it. At the time of sharing their analysis, the researchers stated that the flaw had not ..

Support the originator by clicking the read the rest link below.