Security issues keep popping up for British Airways. Network security experts have revealed a flaw in the airline’s e-ticketing system that, if exploited, could expose passengers’ confidential information, including booking details and history of flights; experts fear that this information could even be modified, which would seriously affect users.
According to reports, the confirmation links that the company sends to its customers via email do not have any encryption, so they are exposed to the threat actors very easily. According to experts, traffic detected in British Airways’ exposed domains reaches 2 million views, so the incident could have a big impact on the airline.
“To expedite user procedures, passenger
details are included in the URL parameters that direct users to the British
Airways website via the link sent by email. These URL parameters are
the user’s reference number and last name, data that is completely exposed
because they do not have encryption,” network security experts said.
In other words, any malicious user on the same
public WiFi network could intercept this link request to gain access to the
records of any airline user. In addition, it has already been proven how unsafe
airport WiFi networks are, a factor that only worsens this possible attack
vector.
With access to users’ personal information, threat actors could steal this information for phishing attacks or similar activities, or they might even modify a user’s reservation. Among the data exposed by the airline are:
- Full
name - Email
address - Phone
numbers - Airline
user membership data - Booking
details
The flaw was discovered last July; British
Airways was immediately notified of these vulnerable links. However, network
security experts reported that leaks have still been detected these weeks,
meaning the fault has not been corrected. It is important to note that British
Airways has made contact with the experts who reported the fault, so it could
be completely corrected in the coming days.
Through a statement, the company stated that
the data about the passport or payment cards of the users are not exposed, in
addition there is no evidence to show the theft of user information: “The
security of the information of our users is a matter of vital importance; we
are taking the necessary steps to ensure that users enjoy our services
safely,” the airline says.
Network security experts from the International
Institute of Cyber Security (IICS) reported a similar security flaw earlier
this year; on that occasion, the companies concerned included Southwest, KLM,
Air France, Thomas Cook, among others. To correct this incident, companies
implemented encryption in the online check-in process, and were recommended to
use some multi-factor authentication to strengthen the security of logins on
their platforms.
