Jetstar says 'no evidence' of check-in link abuse

By on
Jetstar says 'no evidence' of check-in link abuse

As researchers uncover mobile check-in link vulnerability.

Jetstar is among a number of airlines globally that are sending customers unencrypted links to click through and check in for flights, security researchers say.

Threat researchers at mobile security firm Wandera said the vulnerable links can be “easily intercepted by hackers”, who could use them to access a range of customer data.

“Upon clicking these unencrypted links, a passenger is directed to a site where they are logged in automatically to the check-in for their flight, and in some cases they can then make certain changes to their booking and print off the boarding pass,” Wandera said in a blog post.

“A hacker on the same network as the passenger can easily intercept the link request, use it themselves and then gain access to the passenger’s online check-in.”

Michael Covington, a product vice president at the vendor, told Cyberscoop that certain customer information was embedded in the link urls themselves for authentication with the backend e-ticketing engine.

The links are “unencrypted and reusable”, Covington said.

“Using these credentials, the attacker can visit the e-ticketing system at any point, even multiple times, prior to the flight taking off and access all the PII [personally identifiable information] associated with the airline booking,” Wandera said.

Wandera said it had exercised responsible disclosure and shared its findings with all airlines it had found to be susceptible.

A Jetstar spokesperson told iTnews that it had not seen evidence of misuse.

“We take cyber security and privacy extremely seriously and have no evidence of our customers’ booking details or data ever being misused by unauthorised parties through the booking link,” the spokesperson said.

“To ensure our customers’ information remains protected we have multiple layers of security in place and are continuously implementing further cyber safeguards for emails, itineraries and our systems.

“Sensitive customer information such as payment details are not accessible through a customer’s booking link.”

Wandera said the amount of information that could be obtained by intercepting the check-in link and embedded credentials varied by airline.

It anonymised this part of its findings. For one airline, only the passenger’s last name and booking reference could be accessed; for others, a bevy of data including payment details could be found.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
checkin jetstar mobile security unencrypted url wandera

Most Read Articles

Telstra to have Australian agents answer all inbound calls from 2022

Telstra to have Australian agents answer all inbound calls from 2022
Woolworths identifies stores with stock in chats initiated from Google Search, Maps

Woolworths identifies stores with stock in chats initiated from Google Search, Maps
ATO to integrate new digital services API gateway

ATO to integrate new digital services API gateway
NBN Co to cut 800 staff by end of 2020

NBN Co to cut 800 staff by end of 2020
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Get IT, finance and business on the same page
Get IT, finance and business on the same page
Why is DevSecOps important to your business?
Why is DevSecOps important to your business?
Architecting Hybrid IT & Edge for Digital Advantage
Architecting Hybrid IT & Edge for Digital Advantage
Organizations Increasing Their Adoption of NFV
Organizations Increasing Their Adoption of NFV
Modernise IT by Reducing Your Reliance on AD
Modernise IT by Reducing Your Reliance on AD

Events

Log In

Username / Email:
Password:
  |  Forgot your password?