Engadget has been testing and reviewing consumer tech since 2004. Our stories may include affiliate links; if you buy something through a link, we may earn a commission. Read more about how we evaluate products.
E-ticketing flaw could allow hackers to print boarding passes
Eight airlines send check-in links via unencrypted email that could be hijacked.
E-ticketing systems used by eight major airlines, including Southwest, suffer from a lax security that could expose personal information and result in tampering with seats and boarding passes. Researchers at mobile security firm Wandera published a report highlighting vulnerability found in check-in emails delivered to passengers. While there is no evidence of any significant breach, the vulnerability may still give travelers pause.
According to the researchers, the issue stems from the use of unencrypted check-in links sent to passengers via email. When a person clicks on the link, they are directed to a site to check in for their flight, make changes or print their boarding pass. Because the links are unencrypted, Wandera warns that a malicious actor connected to the same Wi-Fi network could intercept the link request and gain access to the person's check-in page.
Once a hacker has access to the page, they could view a significant amount of personal information, from names and addresses to Passport and ID numbers. They could also access specific details about the flight including booking references, flight times and numbers and seat assignments.
Because of how the vulnerability is exploited, it's unlikely that any sort of widespread attack could be launched against travelers. It would have to be a focused effort directed at individuals. However, it does open up the possibility of a hacker making someone's life miserable by changing their travel plans. Travelers can primarily avoid such an attack by making sure to only visit check-in links on a secure network.
