Posted on February 8, 2019 at 2:18 PM
According to the recent report by the security firm Wandera, the popular e-ticket system used by at least eight airlines around the world may have a very serious flaw. The researchers have discovered that the system involves unsecured check-in emails that are exposing a lot of passengers’ private information while confirming their flight details.
The flaw, discovered in December 2018, may even allow hackers to change passengers’ flight details, or print their boarding passes. The airlines using the flawed system include Air France, Transavia, Air Europa, Southwest, KLM, Thomas Cook, Vueling, as well as a major Australian airline, Jetstar.
What is the flaw about?
According to researchers, the airlines mentioned above are using a system that contacts passengers via email, sending them links that lead to their flight details, and giving them the option to alter them. This includes things like seating arrangements, baggage information, passport details, and even email and phone number associated with the booking.
It is possible for hackers to access this due to the fact that the check-in emails that the airlines are sending to their passengers are not encrypted. However, there is still no evidence of any data breach, with Wandera itself saying so, and the company only warns that the data breach is possible.
Another very important factor necessary for making this possible is the use of public Wi-Fi. If passengers used their home Wi-Fi or their mobile connection for checking these emails, they would likely not be in any major danger. However, the use of public Wi-Fi is very dangerous, as there is no way of telling who might be connected as well. If the passenger shares the same Wi-Fi with the hacker, the connection may be used for accessing the passenger’s device and stealing their data.
As mentioned, Wandera discovered the vulnerability in December, and the security company immediately notified the airlines, as well as security agencies. After that, the company waited for several weeks before publishing their findings, giving the companies enough time to handle the issue.
Jetstar responds to security accusations
According to Australian budget airline, Jetstar, there is no evidence of a security breach. The company stressed that they take security and privacy very seriously and that there is no indication that their customers’ data was ever misused in a way that Wandera suggests is possible.
The company also mentioned having numerous security layers in place, which are continuously being improved and strengthened. Furthermore, Jetstar claims that sensitive customer data, especially regarding payment details, is not accessible through the booking link.
Wandera responded to this, stating that they stand by their claims and that they are confident in their findings. The company made a point that they do not know if any passenger data was compromised, or whether or not the companies using the vulnerable system have implemented a fix in the weeks following the discovery.
After the discovery was made, Wandera investigated further, checking around 40 large airlines around the world. As mentioned, eight of them were found to b vulnerable.
How can passengers protect themselves
As explained earlier, the most important condition is that passengers need to use the unprotected network in order for hackers to access their booking details. This can, of course, happen at home, although the probability of this is extremely small, as the hacker would have to infiltrate the passengers’ home networks first, and then their emails as well.
However, public Wi-Fi is a different story, and passengers are advised never to use them for such purposes if it can be avoided. In fact, it is probably the best to avoid public Wi-Fi altogether, as anyone with enough skill and technical knowledge can spy on anyone else connected to the same network.