Airline tickets for Delta can be altered with a simple URL change
According to research, you can simply change the URL of your boarding pass and get someone else’s boarding pass, even if they’re on a different airline. As well as a potential data privacy angle, this would allow any passenger to change to a different flight.
Tod Beardsley, engineering manager at Rapid7, said that this is a “classic information leak in web design”.
“The web application developer needs to be conscious of this issue when coming up with an identification scheme,” he said.
“That said, the experiment described is nearly exactly what Andrew ‘weev’ Auernheimer was prosecuted for his ‘hacking’ of AT&T by changing an identifier embedded in a URL.”
The flaw was spotted by researcher Dani Grant, who found that the QR code on a ticket encodes the passenger name in plain text.
“I thought it was probable that I could send my boarding pass to someone and that they’d be able to open it,” Grant told Mashable. “If that was the case, anyone could probably open any other boarding pass, too.”
Delta has said that it discovered the issue late on Monday, and implemented a fix on Tuesday morning.
In a statement to Time, Delta spokesperson Paul Skrbec said: “After a possible issue with our mobile boarding passes was discovered late Monday, our IT teams quickly put a solution in place this morning to prevent it from occurring.”
Beardsley said: “Given the state of the CFAA today, I would urge Dani to not pursue this research any further without authorisation from Delta.”
