British Airways Check-In Flaw Exposes Personal Data

British Airways is once again at the centre of a security scare after security researchers uncovered a flaw with its e-ticketing system.

Researchers from Wandera said the flaw in the system could expose passenger data including their flight booking details and personal information such as names, telephone numbers, email addresses etc.

It should be remembered that BA was last month already fined a record £183.39 million by the Information Commissioner’s Office for a data breach last year that affected half a million customers.

Check-in flaw

On 6 September 2018 BA said it had discovered a hack of its website and mobile app, had compromised the personal and financial details of around 380,000 customers.

Then in October BA confirmed that the hack is worse than first thought, after it said it had discovered an additional 185,000 payment card data had been stolen – bumping the compromised number to over 500,000 and prompting the record fine from the ICO under the tough GDPR rules.

The good news this time is that there is no word on whether the flaw uncovered by the Wandera researchers has compromised any passenger data.

But the Wandera flaw does leave personal passenger information exposed to hackers sniffing out traffic on public Wi-Fi networks, like those commonly found in airports for example.

“Our threat researchers discovered that the vulnerable check-in links are being sent by British Airways to their passengers via email,” said the researchers.

“In an effort to streamline the user experience, passenger details are included in the URL parameters that direct the passenger from the email to the British Airways website where they are logged in automatically so they can view their itinerary and check-in for their flight,” said Wandera.

“The passenger details included in the URL parameters are the booking reference and surname, both of which are exposed because the link is unencrypted,” it added. “Therefore, someone snooping on the same public Wi-Fi network can easily intercept the link request, which includes the booking reference and surname and use these details to gain access to the passenger’s online itinerary in order to steal even more information or manipulate the booking information.”

Wandera said that it followed the responsible disclosure route and informed BA of the issue last month. It said that it had also noticed a similar check-in link vulnerability affecting eight major airlines in February 2019, including: Southwest, KLM, Air France, Jetstar, Thomas Cook, Vueling, Air Europa, and Transavia.

All airlines were notified and urged to take action to secure the check-in links.

British Airways told Forbes that they had not received any detailed information from Wandera and no critical information can be accessed. They also said there was no evidence of a breach having actually taken place using this vulnerability, but of course the chances of an attack do increase after public disclosure.

Wandera advises airlines to fully encrypt their check-in process.

A British Airways spokesperson told Forbes that “we take the security of our customers’ data very seriously – like other airlines, we are aware of this potential issue and are taking action to ensure our customers remain securely protected.”

Design flaw

The issue drew some commentary from the security industry, one of whom pointed to developers for the ‘design flaw’ in the e-ticketing system.

“The challenge when sending links that could potentially divulge information, such as names and flight confirmation numbers, is that airlines typically use this information to look up and manage reservations,” explained Nabil Hannan, managing principal at Synopsys.

“The confirmation number is something that users need to realise is actually private data,” Hannan said. “This situation illustrates that developers are under intense pressure to complete the development of features, and therefore may forget to take a step back to determine the security implications of the feature they’re implementing. In other words, there isn’t necessarily a security bug, but rather a security design flaw.”

Another expert pointed out that BA is working on the issue, which also affects other airlines.

“This isn’t the first vulnerability either, as as many as 10 airlines were reportedly investigating a similar vulnerability earlier this year,” said Israel Barak, chief information security officer at Cybereason.

“Kudos to British Airlines for acknowledging the incident and for them working quickly to solve any outstanding issues,” said Barak. “This is hardly a knock out punch for the airlines. For the consumer flying with British Airways, or with other carriers, they should be working under the assumption that their personal information has been compromised many times over.”

But another expert questioned why BA had allowed the flaw to exist in the first place.

“It’s surprising that British Airways technical team allowed any URL sent to customers to be sent over plaintext HTTP,” said Tarik Saleh, senior security engineer and malware researcher at DomainTools.

“Although your connection between your computer and your e-mail server are typically encrypted, the link sent to you from British Airways was sent in plaintext HTTP,” said Saleh. “This plaintext HTTP URL when clicked on will log you into your British Airlines online itinerary without entering your credentials.”

“This becomes a security risk when you’re on an untrusted network, like a public WiFi that does not have AP Isolation enabled,” said Saleh. “There are several best practices that British Airways simply did not follow that lead to this. First, any type of URL sent to a customer needs to be encrypted with HTTPS. That would mitigate this security risk right off the bat. Second, any URL that involves handling sensitive customer data should still require to authenticate to it.”

“Security is all about layers,” said Saleh. “Having HTTPS for the itinerary link and a requirement to enter your credentials before viewing it would have prevented this type of exposure from happening. Fortunately, there are some positives here. This vulnerability was responsibly disclosed to British Airways from the security team at Wandera, which gave British Airways a private heads up and allowed them to fix the issue before it was made public.”

“In addition, in order for this attack to be successful the customer would have to be on the same network as an attacker,” he concluded.

Do you know all about security? Try our quiz!