It is suspected that Hong Kong Airlines has a serious loophole in the e-boarding pass issued. By modifying the e-boarding pass URL, the boarding pass number and flight details of another passenger are disclosed. Important personal data such as passenger name, date of birth, passport number and expiry date can also be checked with the information via the official website of airline.
This vulnerability is one of the Open Web Application Security Project (OWASP)’s Top 10 vulnerabilities – A5:2017 “Broken Access Control”, programmers expose insecure direct object references. The airlines in the event did not encode the passenger information on the e-boarding pass, which results in the possibility of unauthorized access to important personal data of other passengers by modifying the e-boarding pass URL.
We recommend that when processing sensitive data, strict monitoring and identity authorization verification are required to reduce the risk of unauthenticated or unauthorized access exploiting by hackers. In addition, it is a best practice to perform a regular full assessment to enterprises’ network infrastructure and web applications which identifies potentially damaging vulnerabilities and threats.
If you would like to learn more about the topic, please leave us your information and we will contact you shortly.
You are about to visit our website.