Jetstar says 'no evidence' of check-in link abuse

By on
Jetstar says 'no evidence' of check-in link abuse

As researchers uncover mobile check-in link vulnerability.

Jetstar is among a number of airlines globally that are sending customers unencrypted links to click through and check in for flights, security researchers say.

Threat researchers at mobile security firm Wandera said the vulnerable links can be “easily intercepted by hackers”, who could use them to access a range of customer data.

“Upon clicking these unencrypted links, a passenger is directed to a site where they are logged in automatically to the check-in for their flight, and in some cases they can then make certain changes to their booking and print off the boarding pass,” Wandera said in a blog post.

“A hacker on the same network as the passenger can easily intercept the link request, use it themselves and then gain access to the passenger’s online check-in.”

Michael Covington, a product vice president at the vendor, told Cyberscoop that certain customer information was embedded in the link urls themselves for authentication with the backend e-ticketing engine.

The links are “unencrypted and reusable”, Covington said.

“Using these credentials, the attacker can visit the e-ticketing system at any point, even multiple times, prior to the flight taking off and access all the PII [personally identifiable information] associated with the airline booking,” Wandera said.

Wandera said it had exercised responsible disclosure and shared its findings with all airlines it had found to be susceptible.

A Jetstar spokesperson told iTnews that it had not seen evidence of misuse.

“We take cyber security and privacy extremely seriously and have no evidence of our customers’ booking details or data ever being misused by unauthorised parties through the booking link,” the spokesperson said.

“To ensure our customers’ information remains protected we have multiple layers of security in place and are continuously implementing further cyber safeguards for emails, itineraries and our systems.

“Sensitive customer information such as payment details are not accessible through a customer’s booking link.”

Wandera said the amount of information that could be obtained by intercepting the check-in link and embedded credentials varied by airline.

It anonymised this part of its findings. For one airline, only the passenger’s last name and booking reference could be accessed; for others, a bevy of data including payment details could be found.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
checkin jetstar mobile security unencrypted url wandera

Most Read Articles

'Zerologon' Windows domain admin bypass exploit released

'Zerologon' Windows domain admin bypass exploit released
Aussie Broadband boss says NBN Co could change price construct in months, if it wanted to

Aussie Broadband boss says NBN Co could change price construct in months, if it wanted to
Service NSW's in-app contact tracing tool goes live statewide

Service NSW's in-app contact tracing tool goes live statewide
Macquarie University brings Accenture onboard for HR transformation

Macquarie University brings Accenture onboard for HR transformation
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

A Migration Guide For Businesses Switching Mobile Device Management Solutions
A Migration Guide For Businesses Switching Mobile Device Management Solutions
Plan your post-COVID security strategy
Plan your post-COVID security strategy
The Executive's Guide To The Future Of Work
The Executive's Guide To The Future Of Work
Government Digital Transformation Requires Customer Obsession
Government Digital Transformation Requires Customer Obsession
Master the fundamentals of AWS cost efficiency
Master the fundamentals of AWS cost efficiency

Events

Log In

Username / Email:
Password:
  |  Forgot your password?