A Premium Luggage Service’s Web Bugs Exposed the Travel Plans of Every User—Including Diplomats

An airline, leaving all the travel registers of its vulnerable passengers to pirates would make an attractive target for espionage. Less obvious, but perhaps even more useful for these spies, would be access to a premium travel service that extends over 10 different airlines, has left its own detailed flight information accessible to data thieves and seems to be favored by international diplomats.

This is a team of cybersecurity researchers found in the form of Airportr, a luggage service based in the United Kingdom which associates airlines to leave its users largely in the United Kingdom and in Europe pay so that their bags are collected, verified and delivered to their destination. Researchers from Cyberx9 have noted that the simple bugs of the Airport website have enabled them to access practically all the personal information of these users, including travel plans, or even obtain administrator privileges which would have enabled a hacker to redirect or steal transit luggage. Among the small sample of user data that the researchers examined and shared with Wired, they found what seems to be the personal information and the travel archives of several government officials and diplomats of the United Kingdom, Switzerland and the United States.

“Anyone could have won or could have obtained absolute access to the end of all the operations and data of this company,” explains Himanshu Pathak, founder and CEO of Cyberx9. “Vulnerabilities have resulted in confidential confidential exposure to all customers of airlines in all countries that have used the company’s service, including total control over all reservations and luggage. Because once you are the super-administering of their most sensitive systems, you have the opportunity to do anything. ”

Airportr CEO Randel Darby confirmed Cyberx9’s conclusions in a written declaration provided to Wired, but noted that Airporter had set the vulnerabilities a few days after the researchers invited the company to the problems last April. “The data has been accessible only by ethical hackers in order to recommend improvements to Airport safety, and our rapid response and attenuation made no additional risk,” Darby wrote in a press release. “We take our responsibilities to protect data from customers very seriously.”

Cyberx9 researchers, for their part, for the simplicity of the vulnerabilities they found mean that there is no guarantee that other hackers have not accessed the data from Airporter. They found that a relatively basic web vulnerability allowed them to modify the password of any user to access their account if they had only the user’s email address-and they were also able to guess email addresses guess without any rate limitation on the site. Consequently, they can access data, including all customer names, telephone numbers, personal addresses, detailed travel plans and history, plane tickets, boarding and flight details, passport images and signatures.

By having access to an administrator account, Cyberx9 researchers say that a hacker could also have used the vulnerabilities he found to redirect luggage, steal luggage or even cancel flights to airline websites using airporter data to access customer accounts on these sites. Researchers say they could also have used their access to send emails and SMS as an irport, a potential risk of phishing. Airportr tells Wired that he has 92,000 users and claims on his website that he has managed more than 800,000 bags for customers.