Jetstar says 'no evidence' of check-in link abuse

Jetstar is among a number of airlines globally that are sending customers unencrypted links to click through and check in for flights, security researchers say.

Threat researchers at mobile security firm Wandera said the vulnerable links can be “easily intercepted by hackers”, who could use them to access a range of customer data.

“Upon clicking these unencrypted links, a passenger is directed to a site where they are logged in automatically to the check-in for their flight, and in some cases they can then make certain changes to their booking and print off the boarding pass,” Wandera said in a blog post.

“A hacker on the same network as the passenger can easily intercept the link request, use it themselves and then gain access to the passenger’s online check-in.”

Michael Covington, a product vice president at the vendor, told Cyberscoop that certain customer information was embedded in the link urls themselves for authentication with the backend e-ticketing engine.

The links are “unencrypted and reusable”, Covington said.

“Using these credentials, the attacker can visit the e-ticketing system at any point, even multiple times, prior to the flight taking off and access all the PII [personally identifiable information] associated with the airline booking,” Wandera said.

Wandera said it had exercised responsible disclosure and shared its findings with all airlines it had found to be susceptible.

A Jetstar spokesperson told iTnews that it had not seen evidence of misuse.

“We take cyber security and privacy extremely seriously and have no evidence of our customers’ booking details or data ever being misused by unauthorised parties through the booking link,” the spokesperson said.

“To ensure our customers’ information remains protected we have multiple layers of security in place and are continuously implementing further cyber safeguards for emails, itineraries and our systems.

“Sensitive customer information such as payment details are not accessible through a customer’s booking link.”

Wandera said the amount of information that could be obtained by intercepting the check-in link and embedded credentials varied by airline.

It anonymised this part of its findings. For one airline, only the passenger’s last name and booking reference could be accessed; for others, a bevy of data including payment details could be found.