Critical Check-In Flaw Exposes British Airways’ Passengers

A critical flaw in British Airways e-ticketing system exposed personal data of passengers. Researchers at Wandera, discovered the major security flaw last month. An estimated 2.5 million connections to the British Airways domains in the last six months were exposed.

Wandera found that British Airways was sending passengers vulnerable, unencrypted check-in links to their inboxes. Anyone viewing their check-in links were easily susceptible to data leaks.

The researchers stated in their blog post:

“In an effort to streamline the user experience, passenger details are included in the URL parameters that direct the passenger from the email to the British Airways website where they are logged in automatically so they can view their itinerary and check-in for their flight.”

Unfortunately, this expansion on user experience left passengers vulnerable. The unencrypted link exposes information to anyone on the same network as the passenger. This means that personal identifiable information (PII), such as name, email address, telephone numbers, itinerary, flight numbers, flight times were exposed.

Any malicious actor, snooping on the same network as the passenger could easily intercept the link request. Gaining access to personal data and potentially changing booking information.

Wandera discovered the flaw and informed British airlines in July 2019. The researchers have stated this week that their team found that the links are still vulnerable, however, said that “British Airways has been in touch with us this morning so we are hopeful it will be addressed soon.”

British Airways has spoken out on the leak saying that they are taking the discovery “very seriously” and “are taking action to ensure our customers remain securely protected.” Further, they commented that passport and payment information was not exposed and there is no evidence that customer data was taken.

British Airways is the latest airline discovered to have been exposing data this year. Last February, eight major airlines were found with a similar check-in vulnerability. These airlines include” Air France, Air Europa, Transavia, Thomas Cook, KLM, Vueling, Southwest, and Jetstar.

Wandora recommends that Airlines should begin encrypting their check-in processes and all direct-links sent in emails should have one-time tokens. Further, any time PII information is exposed and when it can be changed, explicit user authentication should be required.


Contact LIFARS for security advisory solutions today