Discovery of a fatal security problem present in Emirates Airlines reservation system

Many of the procedures such as online shopping and airline boarding reservations are becoming mainstream on the Internet. In that case, since personal information such as name and address will be input to the online system, it is obviously necessary for the system side to prepare a mechanism that absolutely does not leak personal information. However, according to software engineer Konarak Modi,Emirates AirlinesThere is a flaw in the online reservation system, and it is confirmed that it is in a state where it can be exploited even on March 3, 2018 (Sat).

How Airlines do not care about your privacy: Case Study Emirates.com
https://medium.com/@konarkmodi/how-airlines-dont-care-about-your-privacy-case-study-emirates-com-6271b3b8474b

In 2017, Mr. Modi made a reservation for flights using Emirates' online system for family trips. At that time, if you click the link to "Reservation management screen" in order to set up the seat and meal contents, "14 days" such as "Google", "Facebook" "Crazy egg" It was understood that the information of the "surname" was given.

Mr. Modi reproduces the situation at that time and also publishes actual screenshots and so on. First of all, when you make a boarding reservation with the Emirates Airlines online system, a confirmation email will be sent.


In this e-mail, "Manage booking" button is displayed, and by clicking on this button, I can access "reservation management screen" which sets seat and meal information ......


Clicking on this button will add two URLs shown in red in front of the page (original surplus URL of the image) that should be accessedredirectIt was confirmed that it was done. Although there is no problem because the redirect itself is convenient on the system side, these two URLs differ from 14 different such as "Google" and "Facebook"trackingIt seems that I also confirmed that I accessed the site and sent information such as "reservation ID".


When the third URL is accessed, the link "Passenger preferences" for managing the reservation information is displayed. However, this linkHTTPWhen this link is clicked, exchange of data such as reservation information and the like performed between the online system and the user is not encrypted at allPlaintextIt was discovered to be done in.


In other words, Emirates Airlines' online system not only sends user information to external tracking sites but also allows third parties access to personal pages. Mr. MODY points out that the following operations may be easily performed by a third party.

1. Reservation change or cancellation of flight
2. Change of seat or meal content
3. Book multiple flights without permission
4. Change / add passport information
5. Change Frequent Flyer

Mr. Modi already contacted Emirates Airlines in October 2017 with Twitter's direct mail to confirm the implementation of measures. However, the Emirates Airlines side said that they were only able to answer "Internally under consideration".


After that, it seems that some embarrassment was dealt with by Emirates Airlines due to the influence of Mr. MODY. User's information has been embedded in the source code of the web page contents of parameters such as variable name and value, and it seems that everyone could read the communication as it was intercepted, but the variable nameObfuscationIt became difficult to read by.


However, the information exchanged by the mobile application is not obfuscated and seems to be readable as it is with the variable name.


According to Mr. Modi, as of October 2017 it is not limited to Emirates Airlines,KLM Dutch AirlinesWe are confirmed that many other airline companies' systems also have similar problems, such as the fact that the industry has low security awareness.

Mr. Modi has confirmed that the issue of the online system of the Emirates Airlines is still continuing as of March 3, 2018 (Saturday), particularly concerning the problem of user information leakage, "Implementation is difficult and time to deal Therefore, rather than neglecting the problem, "the most basic commitment" to protect personal information must be given priority and priority must be fulfilled promptly. "