The e-ticketing systems of eight airlines, including Southwest Airlines and Dutch carrier KLM, have a vulnerability that could expose personal information and result in tampering with seats and boarding passes.
The exposed data could include the following:
- Email addresses
- First and last names
- Passport or ID information — including the document number, the issuing country and the expiration date
- Booking references
- Flight numbers and times
- Seat assignments
- Baggage selections
- Full boarding passes
- Partial credit card details
- Details of booking travel companies
Researchers at mobile security firm Wandera published a report highlighting vulnerability found in check-in emails delivered to passengers.
The issue stems from the use of unencrypted check-in links sent to passengers via email. When a person clicks on the link, they are directed to a site to check in for their flight, make changes or print their boarding pass. The hackers then can view and, in some cases, even change the victim’s flight booking details, or print their boarding passes.
Air France, Vueling, Jetstar, Thomas Cook, Transavia and Air Europa also have this problem, according to Wandera.
“Wandera investigated the e-ticketing systems in use by over 40 global airlines,” said Michael Covington, the company’s VP of product.
Wandera gives vendors up to four weeks to provide a patch or relevant fix before publicly disclosing a vulnerability.
The company has been communicating with “some of the affected airlines” but has not been able to verify that any fixes have been implemented, Covington said.