Sign up to our newsletter
A vulnerability at Delta Airlines which allowed customers to view any other passengers’ electronic boarding passes has been fixed, reports Ubergizmo.
Dani Grant, a product intern at Buzzfeed discovered she could share the URL of her electronic boarding pass for anyone else to download, and then realized that with a single change of digits in the URL another passenger’s details would be revealed – even those on different airlines.
Although the exploit would have had limited real world functionality – it is, afterall, just a single layer of security in a multi-tiered airport ecosystem – the Delta Airlines hack could have allowed customers to check in on other passengers, and change their seat should they wish. Beyond that, it has limited reach, as Engadget explains: “You’d need to have a legitimate boarding pass in your own name to get past the TSA. Then if you successfully obtained someone else’s boarding pass, it’d have to originate from the same airport you’re at. In other words, if you’re holding a boarding pass from New York to Minneapolis, that Atlanta to Barcelona ticket won’t do much good.”
The TSA’s press secretary played down the issue, stating that, “Travel document checking is just one layer of TSA’s defense for aviation security. Officers are trained to detect and potentially deter individuals who may attempt to board an aircraft with fraudulent documents.”
Speaking to TIME Magazine, Delta Airlines spokesperson Paul Skrbec explained that the issue had been fixed as of Tuesday afternoon: “After a possible issue with our mobile boarding passes was discovered late Monday, our IT teams quickly put a solution in place this morning to prevent it from occurring.” He said that there was no sign of any compromised customer accounts.
Mashable also reached out to Southwest Airlines, who were affected by amending a digit with boarding passes, and a similar fix was in place. “As soon as we became aware of the issue, we contacted the vendor that powers the mobile boarding functionality to quickly resolve the situation,” explained a spokesperson for the airline. “Upon notification, the issue was immediately eliminated and we do not have reports of Southwest Customers being impacted.”
“We will continue to monitor and are engaged in conversation with our vendor,” the spokesperson added.
Author Alan Martin, ESET