Delta site flaw lets passengers access others' boarding passes

A vulnerability in the website of American airline Delta allowed the airline's passengers to view and alter other travellers' boarding passes without their knowledge.

Hackers of New York founder Dani Grant this week revealed what appears to be a direct object reference vulnerability in Delta airline's website that allows passengers of the airline to access others' boarding passes by changing the URL.

The flaw also made it possible to view boarding passes of travellers on other airlines, Grant claimed, and to check in passengers online.

Screen capture by Dani Grant

Grant contacted Delta but only received a response apologising for her "unfortunate online experience". The airline didn't otherwise acknowledge the severity of the vulnerability.

"I certainly understand how insecure you must have felt due to the unpleasant incident you experienced while trying to view and print boarding pass [sic] form our website," a representative from Delta wrote to Grant in an email.

iTnews has contacted Delta for comment. The airline reportedly implemented a fix soon after being made aware of the security issue.

In 2006, privacy researcher and current chief technology officer at the American Civil Liberties Union, Chris Soghoian, was raided by the FBI and the Transport Safety Authority after he showed it was possible to alter and create boarding passes in a similar manner to what Grant has shown with Delta.

Soghoian created a valid boarding pass in the name of the late Osama bin Laden on Northwest Airlines to prove his point.

By using a prepaid credit card paid for in cash and a fake passenger name with matching forged identification, Soghoian said it was possible to get around no-fly list restrictions through airlines' online check-in systems.

He went on to write a research paper at Yale University on the subject of bad boarding pass security and ineffective terrorist watch lists.