A new flaw in e-ticket systems could allow hackers to print boarding passes belonging to other flyers. Security researchers from Wandera identified the vulnerability in the e-ticketing system frequently utilized by multiple global airports. Discovered in December, the weakness in the system evolved out of unsecured check-in emails that put the personal information of travelers at risk.
No evidence exists to support a major information breach, but Southwest, Air France, KLM, Vueling, Jetstar, Thomas Cook, Transavia, and Air Europa airlines have all been impacted by the exposure. As reported by Wandera, the airlines sent unencrypted check-in links to passengers’ emails, that automatically logged passengers into a website to check their flight status or print their boarding passes. This left them vulnerable to hackers sharing the same WiFi network, giving them access to that information.
In addition to flight data, personal information was also at risk including seat assignments, full names, baggage claims, and passport information. The degree of information that could be stolen hinges on the airline e-ticketing system, which varies depending on the airline.
According to Wandera, “Our threat research team observed that travel-related passenger details were being sent without encryption as one of our secured customers accessed the e-ticketing system of one of the airlines mentioned above. It was at that time that Wandera notified the airline and began further research.”
The breach was reported to the appropriate authorities and the airlines, with a time line of 4 weeks to find and mend the problem before it would be made public. To prevent this from happening in the future, Wandera suggests airlines incorporate stronger encryption methods, implement user authorization, and use of one-time tokens for links within emails.