Poor security at Thomas Cook airlines leads to simple extraction of fliers' personal data  - thomas cook - Poor security at Thomas Cook airlines leads to simple extraction of fliers’ personal data

Thousands of holidaymakers relying upon Cook Airlines to get them to their vacation may have had their information put at risk due to sloppy .

Roy Solberg, a programmer in Norway, discovered that it was possible to retrieve the following information from Thomas Cook Airlines’ systems using only a booking reference number:

  • Full name of all travelers on that booking
  • Email address of person registering the booking
  • Departure:
    • Date
    • Airport
    • Flight number
  • Return:
    • Date
    • Airport
    • Flight number

Solberg discovered that trips booked through the travel agency Ving, whose parent company is Thomas Cook, are assigned incremental booking reference numbers. In other words, you can reach other customers’ details simply by subtracting or incrementing the reference number in a URL.

This is known as an Insecure Direct Object Reference (IDOR) and is not only a commonly-encountered problems on poorly-designed web applications, but also easy for an attacker to exploit.

In his tests, Solberg says that he was able to use the technique to see details of trips as far back as 2013, through to 2019. The bug finder believes that he could easily have written a computer to loop through possible booking reference numbers and extract the personal details of most customers and their trips.

Solberg says that data of bookings made with Thomas Cook Airlines through Ving Norway, Ving Sweden, Spies Denmark and Apollo Norway were affected by the vulnerability, but it seems perfectly plausible that other sites may be similarly impacted.

Aside from other privacy concerns (airlines will not normally confirm who is booked on what flight) such information could also be used in targeted phishing attacks claiming to come from a travel operator.

And if there’s more than one person travelling on the same booking, they would be visible too.

Which, as Solberg explains, is potentially another concern for those wishing to keep the details of their trip private:

Some people might not like that you can see who they travelled with on vacation maybe 5 years ago. (‘Didn’t you say you were going to that job conference in Stockholm? And who is this you were travelling with?’)”

Solberg details on his blog how difficult it was to receive a timely response from Thomas Cook Airlines about the security vulnerability, although he does note that it has now been resolved.

Of course, we have little way of knowing if anyone exploited the security vulnerability in the past five-or-so years.

- aa9ea0686c5d1aa9086d4b12c3aa05f2 s 80 d mm r g - Poor security at Thomas Cook airlines leads to simple extraction of fliers’ personal data

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and privacy.

Follow him on Twitter at @gcluley, or drop him an email.

Follow @gcluley





Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here