British Airways E-Ticketing Flaw Exposes Passenger Flight, Personal Data

BA have not had a good time recently with IT. Here’s one more problem to deal with …:

[…] Researchers on Tuesday said that check-in links being sent by British Airways to their passengers via email are unencrypted – opening them up to an attack that could expose victims’ booking reference numbers, phone numbers, email addresses and more. Researchers told Threatpost they estimate that 2.5 million connections were made to the affected British Airways domains over the past six months, so the potential impact is “significant.”

“In an effort to streamline the user experience, passenger details are included in the URL parameters that direct the passenger from the email to the British Airways website where they are logged in automatically so they can view their itinerary and check-in for their flight,” said researchers with Wandera in a Tuesday analysis. “The passenger details included in the URL parameters are the booking reference and surname, both of which are exposed because the link is unencrypted.”

That means that someone snooping on the same public Wi-Fi network can easily intercept the link request, use it themselves and then gain access to the passenger’s online check-in. Making matters worse, several airports are notorious for their risky Wi-Fi networks.


Original article here