If you asked a friend if it is alright that his Date of Birth is known to a stranger, probably there are going to make a joke about it; “only if they send me a birthday gift”. But, what about their passports number?, an information security training researcher asks.
Now imagine that you try to check-in for your flight online, and see the error message”This booking does not exist”. Then the call center person repeats the same words. This has to be a mistake! You check your email, and there it is an email confirmation of cancellation. But you didn’t do it. This is not a far-fetched scenario this really happened.
An organization with a primary Digital Product that lacks even the basic data security practices is living in a utopian world where people leave their safe open and never expect a burglar to walk in.
Last year while an information security training expert was booking travel for my family, he stumbled across a few data-security practices that, as an information security advocate, make him worried. When the expert voiced the concerns to Emirates team, this conversation took place:
For a normal person, when you book your flight through Emirates, Domestic or International, there are approximately 300 data points related to your booking.
The moment you click on manage preferences to select a seat or meal for your trip or to Check-in to your flight, your Booking ID and Last name is passed on to approximately 14 different third-party trackers like Crazy egg, Boxever, Coremetrics, Google, and Facebook among others, information security training specialists said.
- After I completed the booking on Emirates, I received an e-mail confirmation.
- The body of the email contained Manage booking. The information security training expert proceeded to select seats and meal by clicking on the Manage Booking button and reached the Manage Preference page. This was pretty straightforward.
- While as a user, he saw the normal behavior of clicking a link and reaching the landing page “Manage Preferences”, in the background a redirection chain took place.
- While Manage Booking link was supposed to be exclusive to him (the user and the website), this link was also shared with numerous third party trackers implemented by Emirates on their webpages.
The insecureness of HTTP has been talked about over and over again, especially when it comes to maintaining the authenticity of the content and protection against interlopers. But in short, HTTP links are a Data Privacy nightmare. So, not only was Emirates passing on user information to the self-implemented third party trackers, but also allowing network adversaries to have access to the supposedly “Private” page.
What kind of information can third-parties access?
Anyone who has access to these links can not only read but also edit the information.
For example, they can now:
- Change or Cancel flight
- Change seat or meal preference
- Add more products to the booking
- Change or add Passport Information
- Change or add Frequent Flyer Information, etc.
Note: In October 2017, fields such as Passport Number, Email Id and Telephone number were shown to be masked on the User Interface but were not obfuscated in source code. The web app has been revamped since then and these fields are now obfuscated.
Masked fields in plain text. (October 2017)
The information security training professional take a peek into the mobile app and see if the past catches up with the present. Passport Number, Email ID and Telephone number in plain text. What was obfuscated on the web app was easy to access on the mobile app.
This issue is not only limited to Emirates, a lot of airlines like Lufthansa, KLM (last checked on October 2017) suffer from the same issues.
Every website uses third party trackers for improving their product and provide better web-usage experience. Data leaks are often considered collateral-damage and sometimes not even considered at all while implementation of such trackers.
Most of these third-parties are present on a lot of other websites and use long term identifiers like cookies etc to track users across domains. Now because one of the websites, in this case Emirates, leaks private information, these companies now potentially can not only link the user’s activity across web, but also identify who the user is.
The questions that need answering by Emirates (and others) are: Why was my booking information passed on to these third parties without my explicit consent? Why do these third parties need to receive this information? Is Emirates even aware that sensitive user information is being leaked to these third parties? Who are these third parties? What are they doing with user information?
In the wake of responsible behavior, on discovering these serious security flaws that violate user-data privacy, the information security training expert decided to flag them to Emirates through Twitter DM in October 2017. Please note that he could not find a dedicated channel for reporting security bugs on Emirates website.
The Social Media Team immediately responded to his Twitter DM with a canned response but he was not ready to give up hope. The information security analyst also wrote an email to the Product Manager highlighting the security flaws. He was met with a deafening silence.
As of (2018–03–03) lot of these issues still persists.
This is a serious violation of privacy; there is no point during the whole booking process, where he agreed upon sharing any of this personal information with any of these websites.
Unfortunately, the information security training researcher could not find a way to opt-out of this system provided by Emirates. Finally he had to fall back on using privacy preserving browser extensions.
As an information security analyst understand the need to use third party services for optimizing and enhancing not only the Digital Product but also how user interacts with the product.
It is not the usage of third party services that is of concern here in this case but the implementation of these services. Emirates has the control of their website and what the website shares with third party services. It is this control that needs to be exercised to limit the leakage of User information.
It is not a mammoth task; it is just a matter of commitment to preserving the basic right to privacy.
The information security training expert gives some examples:
- Private pages should have noindex Meta tags.
- Limit the presence of third-party services on private pages.
- Referrer-Policy on pages with sensitive data.
- Implement CSP and SRI. Even with a huge footprint of third-party services CSP, SRI are not enabled on Emirates.com
- User needs to be informed when sensitive information like passport, contact details etc. is updated, edited, or deleted.
- Domain for sending e-mails: track.emirates.email, should have a valid certificate. https://track.emirates.email/