Network errors in advanced luggage services expose every user’s travel plans – including diplomats
one Leaving the travel record of all its passengers, airlines vulnerable to hacking will become attractive targets for espionage. Not too obvious, but may be more useful for those spies, using advanced travel services across 10 different airlines, leaving their own detailed flight information, access to data thieves, and seem to be favored by international diplomats.
This is a cybersecurity team discovered by cybersecurity researchers in the form of Airportr, a UK-based baggage service that works with airlines to get most of its UK and European users to pay for it in order to pick up the bag, inspect and deliver it to the destination. Researchers at Cyberx9, the company found that simple errors on the Airportr website allowed them to access nearly all of these users’ personal information, including travel plans, and even gain administrator privileges that would allow hackers to redirect or steal luggage in transit. In a small fraction of user data reviewed and shared with cable, they found personal information and travel records from multiple government officials and diplomats from the UK, Switzerland and the United States.
“Anyone will be able to get or may have access to absolute super consultant access to all operations and data of the company,” said Himanshu Pathak, founder and CEO of Cyberx9. “These vulnerabilities result in the exposure of fully confidential private information from all airline customers in all countries using the company’s services, including full control of all bookings and luggage. Because once you are super public administration of their most sensitive systems, you can do anything.”
Airportr’s CEO Randel Darby confirmed the Cyberx9 findings in a written statement to Wired, but noted that Airportr disabled the fragile part of its website’s backend shortly after researchers realized several issues last April and resolved the issue within a few days. “The data is accessed only by ethical hackers, with the aim of suggesting improvements to the security of Airportr, and there are no further risks for our timely responses and mitigation measures,” Darby wrote in a statement. “We assume responsibility to protect customer data very seriously.”
Cyberx9 researchers countered that the simplicity of the vulnerability they found meant there was no guarantee that other hackers would not access AirPortr’s data first. They found that relatively basic web vulnerabilities allowed them to change any user’s password, access their accounts if they only had the user’s email address, and they were able to burst out guess guess email addresses without rate limits on the website. As a result, they can access data including all customers’ names, phone numbers, home addresses, detailed travel plans and history, air tickets, boarding passes and flight details, passport images and signatures.
By gaining access to administrator accounts, hackers can also use the vulnerabilities it finds to redirect luggage, steal luggage, and even use AirPortr’s data to access customer accounts on those sites, thus canceling flights on airline sites. The researchers say they can also use access to send emails and text messages as Airportr, a potential phishing risk. Airportr told Wired that it has 92,000 users and claims on its website that it has processed more than 800,000 bags for its customers.
