British Airways e-ticketing system could expose passenger details

British Airways has not addressed a potential leak of passenger details despite warnings from security researchers, but says it is aware of the issue and is taking action

Security researchers have gone public with a discovery that British Airways’ e-ticketing system could give bad actors access to passengers’ personally identifiable information (PII), underlining the importance of security by design.

The airline’s check-in links sent to passengers by email are unencrypted and easily intercepted, enabling unauthorised parties to view and change passengers’ flight booking details and personal information, researchers at security firm Wandera warn.

News of the potential personal data leakage comes a month after the UK’s privacy watchdog notified British Airways of its intention to issue a £183m GDPR fine for a personal data breach affecting around 500,000 customers, and just a week after an IT systems failure that caused around 100 flight cancellations and 300 flight delays.

In an effort to streamline the user experience, the Wandera researchers said passenger details are included in the URL parameters that direct the passenger from the email to the British Airways website where they are logged in automatically so they can view their itinerary and check in for their flight.

The passenger details included in the URL parameters are the booking reference and surname, both of which are exposed because the link is unencrypted.

This means anyone snooping on the same public Wi-Fi network can easily intercept the link request and use the information to gain access to the passenger’s online itinerary to steal more information or even manipulate the booking information.

Information exposed in this way would include names, email addresses, telephone numbers, BA membership numbers and flight details.

Conflicting claims

Wandera said it notified British Airways of the vulnerability in July 2019, but several weeks later, the vulnerability has still not been addressed. However, British Airways told Computer Weekly it has not received any information from Wandera in relation to this issue.

British Airways is not the only airline potentially exposing passenger details in this way. In February 2019, Wandera discovered a similar check-in link vulnerability affecting eight major airlines.

Those affected are: KLM, Air France, Thomas Cook, Vueling, Air Europa, Jetstar, Southwest and Transavia. “All airlines have been notified and urged to take action,” said Wandera.

Security firm recommends that the affected airlines should:

  • Adopt encryption throughout the check-in process;
  • Require explicit user authentication for all steps where PII is accessible and especially when it is editable;
  • Use one-time use tokens for direct links within emails;

Wandera also recommends that customers should have an active mobile security service deployed to monitor and block data leaks and phishing attacks.

Protecting customer information

According to British Airways, it has multiple systems in place to protect customer information, no passport or payment information can be accessed and there is no evidence to suggest any customer data has been taken.

“We take the security of our customers’ data very seriously,” a spokesperson told Computer Weekly. “Like other airlines, we are aware of this potential issue and are taking action to ensure our customers remain securely protected.”

The vulnerability in the e-ticketing system at BA and other airlines once again underlines the importance of following best practices in designing IT systems to ensure they are secure by design, which is a key element of UK government policy on technological innovation.

Read more about security by design

The principle is enshrined in the recently published minimum requirements for manufacturers of surveillance camera systems and components, and the voluntary code of practice (CoP) for manufacturers of consumer internet of things (IoT) devices, published by the UK in October 2018.

“There are several best practices that British Airways simply did not follow that lead to this. First, any type of URL sent to a customer needs to be encrypted with HTTPS,” said Tarik Saleh, senior security engineer and malware researcher at DomainTools.

“That would mitigate this security risk right off the bat,” he said. “This would prevent an attacker from seeing the customer information in the URL as well as the link that was able to be hijacked.

“Second, any URL that involves handling sensitive customer data should still require authentication. This means that after a customer clicks on that URL sent by British Airways to view their itinerary, they need to enter their appropriate username and password. Even if the attacker was able to access that URL, they would still require a username and password.

“This is an opportunity for British Airways to invest into a stronger information security programme, particularly considering the steps to mitigate it would have been relatively simple,” he said.

Security implications

“This situation illustrates that developers are under intense pressure to complete the development of features, and therefore may forget to take a step back to determine the security implications of the feature they’re implementing,” said Nabil Hannan, managing principal at Synopsys.

“In other words, there isn’t necessarily a security bug, but rather a security design flaw,” he said. “This flaw exists in how the system designed this check-in process and didn’t analyse any implications around transmitting certain data elements as part of the URL.”

Cesar Cerrudo, chief technology officer at IOActive said that when building a customer facing application, the focus is too often on usability, scalability and performance. “Security can be a bit of an afterthought despite the fact that the information involved is sensitive.

“While it is common practice for airlines to use third party penetration testing for their hardware and critical flight services, they often test their online services and applications in-house using teams that are often under pressure from IT to meet strict time deadlines; meaning things slip through the gaps.

“Employing an experienced third party, one that can think like a hacker, will help to ensure any such vulnerabilities are discovered in the test phase, before any customers have started to use it – helping companies to avoid embarrassment and more importantly ensuring customer data remains safe.”

Unencrypted emails

Javvad Malik, security awareness advocate at KnowBe4, said sending unencrypted emails with authentication data in the URL is certainly far from good security practice.

“Given the recent British Airways fines proposed by the ICO, it does not paint a good picture,” he said. “However, for this attack to be successful, the attacker needs to be connected to the same Wi-Fi network as the victim in order to intercept the email and view the booking. Because of this, the threat is reduced somewhat.

“British Airways will likely fix the issue soon, but it’s a reminder to users that they should exercise caution when connecting to public Wi-Fi hotspots.”

Read more on Privacy and data protection