Sophos Cloud Optix
Have you travelled on planes in recent years?
If so, I’m sure you’ve had your fair share of security seriousness at airports.
One of the strictest, and perhaps the most peculiar, exchanges I’ve overheard went something like this:
| Security Officer: | You can’t take a 110g tube of toothpaste through security, Sir. |
| Passenger | But, look! It’s close to half empty. There’s 60g at most in there. Weigh it, you’ll see. |
| Security Officer: | Sorry, Sir. If you want to carry more than 100g of toothpaste, buy two 100g tubes. |
| Passenger: | I don’t want to carry 200g of toothpaste. I want to carry 60g of toothpaste. In fact, I am carrying 60g of toothpaste. |
| Security Officer: | I’m sorry, Sir, I don’t make the rules. I’m just following orders. |
And as for finding out whether your mother-in-law managed to board her connecting flight in Singapore, having been worried about getting lost in Changi airport?
Forget it.
Actually, unlike the dentifrice disaster story above, the lockdown of passenger lists is a good thing.
The privacy of passengers should be strongly protected, so no complaints there.
Delta disappointment
So, what a disappointment to read that Delta, and apparently other US airlines, didn’t seem to see it that way.
Hackers of NY denizen Dani Grant found that out last week when she received a URL from Delta that led to her boarding pass.
(She didn’t say in her post but it looks from the screenshots like a non-HTTPS URL; that’s a concern for another time.)
The SNAFU was just like last week’s flaw at AliExpress, the online retail portal of Chinese e-commerce megabrand Alibaba.
By changing characters in a parameter in a URL, AliExpress users could retrieve the home address and phone number of other users.
At least in the AliExpress case, you had to login as someone first, before accessing the data of anyone.
In Dani Grant’s case, arbitrarily changing even a single character in her URL brought up other people’s travel plans, without any authentication stage at all.
A bit more URL fiddling, and she had a boarding card for a third passenger on a different airline:
The cybercrime angle
We’ll ignore that this makes a mockery of the security precautions at many airports.
Let’s look at why this is a problem in general terms, by forgetting the in-flight safety angle for a moment, and considering the cybercrime side of things.
Both the Delta Airlines and the Alibaba URL vulnerabilities play right into the hands of online scammers and social engineers.
In many, if not most, online scams, the crooks don’t need to know that you are flying to Florida this evening, arriving at 19:45.
They just need to know that somebody is going to be on that plane, or some other plane, to be able to tweak their criminality to target that person.
And if they can automate the process of recovering that sort of information by simply scraping URLs until they get lucky, they can attack even more broadly.
How to tell?
Of course, this raises the question, “As a consumer, how can you tell if a website is guilty of this sort of data leakage carelessness?”
Sometimes, you’d be wise to assume there’s a problem, for example if the confidentiality of a web page relies on some text in the URL, but the text looks far from random:
But even then, proving there really is a vulnerability is tricky, because:
- You might get close by trying nearby strings (e.g. id=32767, id=32768), but not close enough to hit paydirt. (Maybe you needed to try id=42766 instead?)
- You might actually hit paydirt, and then what? (Whom do you tell? What if you just broke your country’s equivalent of the Computer Misuse Act?)
What to do?
“Having a go” at URLs to see what you can find is not a good idea, and we don’t recommend it.
Even if your motivation is pure, you could end up in trouble if you don’t have explicit permission.
A court might form the opinion that you knew jolly well you were going after data that wasn’t yours, and find you at fault.
All we can recommend is that if you do encounter what you consider to be security through obscurity, report it and ask what the company concerned has to say about it.
Dani Grant did just that in the case above; Delta, bless their hearts, replied to her, and didn’t try to brush it under the carpet, either:
[We] certainly understand how insecure you must have felt due to the unpleasant incident you experienced while trying to view and print [your] boarding pass from our website.
That’s not as good as a clear statement that the problem is being fixed, and how solidly, but it’s a good start, not least because it explicitly admits the flaw as an insecurity.
By the way, if your company deploys “secret” URLs for any purpose, whether customer facing or internal, why not review how they are generated, distributed and used?
Don’t make the same mistakes as Alibaba and Delta…
Groovy image of aeroplane courtesy of Shutterstock.
TSA is what happens when you advertise job openings on pizza boxes and bus shelters. The only real requirements to get hired seems to be a GED, below average IQ, and live near a major airport.
There is a former TSA employee is has been spilling the beans about the behind the scenes nonsense at the agency, including a debate over letting someone carry a goldfish on board. The wisdom of the agents produced an answer that the fish was allowed but the water in the bag was not.
Interestingly, no part of the article above really has anything directly to do with TSA. (The toothpaste incident, as the weights and measures suggest, happened outside the US.)
My own experiences, when sticking up for my own privacy in the face of security guards at airport security checkpoints around the world, have been varied.
The most respectful and commendable treatment I have received has been in the USA (from TSA, as it happens, at LAX), in New Zealand (can’t remember where, AKL or WLG) and in England (LHR).
The worst has been in South Australia (ADL) and in England (LHR).
How it goes.
So we don’t know if this was an ethical disclosure and that the hole’s been fixed?
I *think* the hole has been fixed but haven’t seen anything formally to confirm that. Can anyone advise?
I’m in doubt about this, was she really modifying the URLs parameters or searching on Google/Twitter/Etc. for those domains? Because I’ve arrived to the same boarding passes using a quick site search.
The e-boarding pass URL looks like this:
http://example.com/folder/folder/folder/z3TH0[DELETED]ptNDePhcU./9[DELETED]0e/a[DELETED]634e/circle
(This was the URL for the 1st example “M. S. PREM 3D” 😉 )
And as you can see in this case, it isn’t something like changing an integer value on a variable, is more than that. I’m not saying that Delta is doing everything right here, but IMHO getting access to those boarding passes might be a little bit complex as it was stated in Dani’s article.
I like this kind of news because it push big corporations to improve their security, but we/they need to help users understand that sharing this kind of information online is not ok.
Her article gave me the impression that the boarding passes I showed above (cropped and made tiny) were exactly the ones she herself acquired as claimed in the article.
That claim was, IIRC, that in at least one case, only a single character of the URL had to be changed.
It may be hard to determine the veracity of her claim now, though I stand by my comments that Delta at least sort of admitted that it was pretty easy to do.
I hope my comments in the article along the lines of “don’t try this at home” meet your standards of trying “to to help users understand that sharing this kind of information online is not ok.”
Perhaps I’m more pessimistic, but I didn’t read that as an admission there was an insecurity, only the acknowledgment that she felt insecure.
I hear you. Maybe there is a spot of legalism in there…
But I’m willing to cut Delta a bit of slack – the word “unpleasant”, used in respect of an emotion provoked by Delta itself, doesn’t seem to admit of much else than “we did a wrong thing.”
At least Delta didn’t say something along the lines of, “What’s your problem? Everyone does it this way and the regulators are perfectly happy, so get over it.”
And Delta didn’t use the words “overabundance of caution,” which I consider an oxymoron 🙂
We don’t know if Dani Grant had any followup later to add some detail…but, as I said, a clearer statement up front about what was going to happen would have been better.
According to Delta comment on Buzzfeed – http://www.buzzfeed.com/charliewarzel/a-delta-airlines-security-flaw-lets-you-check-in-to-flights – this issue was fixed on Tuesday morning. Good to see that Delta reacted quickly and was able to push out an update.
Thanks for that. Good to know.
BTW, I do not agree with Delta’s followup statement, which reads along the lines of “we fixed this but it wasn’t really a big deal”:
This was a privacy breach and, as I pointed out in the article, this isn’t really about flight safety (where other checks such as asking for ID at check-in serve to mitigate the in-flight risks). It’s about leaking information about people’s movements and personal lives that is [a] no-one else’s business, and [b] grist to the mill of cybercrime.
Whatever monitoring and analysis Delta was doing “to ensure privacy for [its] customers” didn’t seem to have worked in this case, eh?
And another website which has fallen to this:
http://www.bbc.co.uk/news/technology-30686697
Worrying!