The British paper The Guardian exposes a hole in British Airlines website. Given someone’s name and frequent flier number you could steal their entire identity:

We logged on to the BA website, bought a ticket in Borer’s name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information.

The airline responded and closed the hole. According to the article, somehow this whole issue is the fault of CAPPS II, the now-defunct TSA program for screening for airline terrorists. While I’m not excited about any program that invades my privacy and marks my friend’s 2-year-old as a terrorist, the airline is at fault here, not the TSA.

However, there are two lessons here:

1. Be careful of how you deal with any information that is a unique identifier to you. You never know what other information it might be tied to.
2. When engineering or auditing a system, approach it in a threat-based way. Ask yourself, “If I only knew X piece of information how much could I learn.” Better you find out the nasty truth than a national newspaper.

Q. What could a boarding pass tell an identity frustrated about you? A. Way too much [The Guardian] (via Likehacker)

Post a Comment...