British Airways flaw allows hackers to change your reservations

Security issues keep popping up for British Airways. Network security experts have revealed a flaw in the airline’s e-ticketing system that, if exploited, could expose passengers’ confidential information, including booking details and history of flights; experts fear that this information could even be modified, which would seriously affect users.

According to reports, the confirmation links that the company sends to its customers via email do not have any encryption, so they are exposed to the threat actors very easily. According to experts, traffic detected in British Airways’ exposed domains reaches 2 million views, so the incident could have a big impact on the airline.

“To expedite user procedures, passenger details are included in the URL parameters that direct users to the British Airways website via the link sent by email. These URL parameters are the user’s reference number and last name, data that is completely exposed because they do not have encryption,” network security experts said.

In other words, any malicious user on the same public WiFi network could intercept this link request to gain access to the records of any airline user. In addition, it has already been proven how unsafe airport WiFi networks are, a factor that only worsens this possible attack vector.

With access to users’ personal information, threat actors could steal this information for phishing attacks or similar activities, or they might even modify a user’s reservation. Among the data exposed by the airline are:

  • Full name
  • Email address
  • Phone numbers
  • Airline user membership data
  • Booking details

The flaw was discovered last July; British Airways was immediately notified of these vulnerable links. However, network security experts reported that leaks have still been detected these weeks, meaning the fault has not been corrected. It is important to note that British Airways has made contact with the experts who reported the fault, so it could be completely corrected in the coming days.

Through a statement, the company stated that the data about the passport or payment cards of the users are not exposed, in addition there is no evidence to show the theft of user information: “The security of the information of our users is a matter of vital importance; we are taking the necessary steps to ensure that users enjoy our services safely,” the airline says.

Network security experts from the International Institute of Cyber Security (IICS) reported a similar security flaw earlier this year; on that occasion, the companies concerned included Southwest, KLM, Air France, Thomas Cook, among others. To correct this incident, companies implemented encryption in the online check-in process, and were recommended to use some multi-factor authentication to strengthen the security of logins on their platforms.