British Airways exposes personal and flight information of passengers due to flaw in e-ticketing system

• The flaw exposed personal information as well as the flight itinerary of passengers through unencrypted check-in URLs.
• Anyone on the same network as a passenger accessing their check-in link could snoop on their information.

Security researchers from Wandera discovered a security flaw in the e-ticketing system of British Airways. This flaw could potentially lead to exposure of passenger data, including their flight details and personal information.

What happened?

The researchers found that the flight check-in links sent to passengers by British Airways via email were unencrypted. This opens the door for an attack that could expose the passengers’ booking reference numbers, phone numbers, email addresses, and more.

“In an effort to streamline the user experience, passenger details are included in the URL parameters that direct the passenger from the email to the British Airways website where they are logged in automatically so they can view their itinerary and check-in for their flight,” wrote the Wandera researchers in a blog post.

“The passenger details included in the URL parameters are the booking reference and surname, both of which are exposed because the link is unencrypted,” added the researchers.

Due to the lack of encryption, someone on the same network can easily snoop such requests to view information about the passengers or even alter their booking information.

What information was exposed?

The exposed information includes passengers’ names, email addresses, phone numbers, membership numbers, booking reference numbers, itineraries, flight numbers, flight times, and seat numbers.

Worth noting

The researchers discovered this flaw in July 2019 and soon informed the airline about it. At the time of sharing their analysis, the researchers stated that the flaw had not yet been fixed.

What is the impact?

As per the researchers’ estimate, 2.5 million connections were made to the affected British Airways domains in the last six months. However, according to British Airways, no passport or payment information could be accessed by exploiting this flaw. The airline also stated that there is no evidence of any customer information being accessed illegally.

“We take the security of our customers’ data very seriously. Like other airlines, we are aware of this potential issue and are taking action to ensure our customers remain securely protected,” a British Airways spokesperson told Threatpost.