advertise here



Industry Comment Research   RSS Feed

Webinars Buyers' Guide Podcasts

Related Publications Foward Features




  In partnership with:

Airline check-in is wide open

Ken Munro, SecureTest

My colleague recently took a flight to the US. A few days before he flew, he received an email from the airline, indicating that online check-in was available. The email contained a link, which itself contained the URL of the airline, and passed two parameters to the web site to authenticate my colleague to the check-in application. What was interesting was that whilst one parameter was his surname, the other was a six character value, made up only of uppercase letters and the digits 0-9.

If I could intercept the email (not as easy as you might think) then I would have trivial authenticated access to the online check-in area. I could change seats, modify food orders and even cancel bookings. If I was on the standby list for an overbooked flight, I could cancel some of the other booked passengers, and pinch their seats.

Assuming I couldn’t intercept the email, how about brutally forcing the login? All I need is someone’s surname before cracking several billion potential 6-character values to get into their check-in account. However, whilst online check-in websites are capable of withstanding large volumes of traffic, even this wouldn’t give enough time to crack the system. We need to look wider.

It transpires that many airlines use the Amadeus booking application. Most airlines have a similar online check-in engine, all linked to the same backend database. Travel agents also have interfaces to this on their websites. Hence, one can distribute the attack over numerous different web sites, reducing the time to crack to under a week, potentially even a single day.

Old flight data appears to be present in the Amadeus database too, so if you’ve flown in the past, that information is probably still there. We checked several old booking references for colleagues and found the accounts still live in the database. That too increases the chance of cracking an account.

Further, if one doesn’t care about trying to attack a particular passenger, how about choosing a common surname? How many ‘Smiths’ pass through UK airports every day? Now we have brought down the time required to crack into an account to a matter of minutes.

Are there more sinister attacks? When my colleague browsed around his online check-in account, we found that no significant personal information was displayed. In order to get to that data, he would have to enter his passport number first.

Back to brute force attacks, which in the case of a passport number (again, several billion combinations) was going to take some time. If I was prepared to attack an individual, the above passport-based login process created an issue. Currently it is very difficult to obtain a victim’s passport number, unless one is prepared to try social engineering. But, by brute forcing this second login, not only could I find large amounts of useful personal information about them, I could also deduce their passport number when I finally crack their account.

What should the airlines be doing about this? Firstly, I don’t particularly like the concept of passing credentials in an email link, though that isn’t the root cause of this problem. It’s more that a relatively short ‘password’ is used and that the account username is the surname of the passenger. Amadeus could solve the problem quickly by increasing the length of the password by a few characters.

Secondly, the log-ins discussed above should not permit automated attacks. By implementing a CAPTCHA (www.wikipedia.org/captcha) it’s possible to ensure that only a human is entering the data. Basic CAPTCHAS have been defeated, but advanced versions are more robust against these attacks.




 

 
Search this Site:
Google Custom Search



Click here...