Links received by British Airways customers through email that allow users to check-in to their flights are being sent unencrypted. “In an effort to streamline the user experience, passenger details are included in the URL parameters that direct the passenger from the email to the British Airways website where they are logged in automatically so they can view their itinerary and check-in for their flight,” stated researchers. Since the information is unencrypted, any user on the same network can find information on other passengers and potentially alter booking information. Information that could possibly be accessed includes passengers’ names, email addresses, phone numbers, membership numbers, booking reference numbers, itineraries, flight numbers, flight times, and seat numbers. The flaw was initially discovered in July and reported to British Airways shortly after, and at the time of this report, it had not yet been fixed. A British Airways spokesperson said “We take the security of our customers’ data very seriously. Like other airlines, we are aware of this potential issue and are taking action to ensure our customers remain securely protected.” It was also confirmed that none of the information had been accessed illegally.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is