We use cookies on this website to provide a user experience that’s more tailored to you. By continuing to use the website, you are giving your consent to receive cookies on this site. Read more about our Cookie Policy and Privacy Policy.
I acceptAvaleht > Infomaterjalid > Blogi
2018-11-02
It is suspected that Hong Kong Airlines has a serious loophole in the e-boarding pass issued. By modifying the e-boarding pass URL, the boarding pass number and flight details of another passenger are disclosed. Important personal data such as passenger name, date of birth, passport number and expiry date can also be checked with the information via the official website of airline.
This vulnerability is one of the Open Web Application Security Project (OWASP)’s Top 10 vulnerabilities – A5:2017 “Broken Access Control”, programmers expose insecure direct object references. The airlines in the event did not encode the passenger information on the e-boarding pass, which results in the possibility of unauthorized access to important personal data of other passengers by modifying the e-boarding pass URL.
We recommend that when processing sensitive data, strict monitoring and identity authorization verification are required to reduce the risk of unauthenticated or unauthorized access exploiting by hackers. In addition, it is a best practice to perform a regular full assessment to enterprises’ network infrastructure and web applications which identifies potentially damaging vulnerabilities and threats.
Üldtelefon:
+3726223399
Müük:
+3726223360
Tehniline abi +372 622 33 90
Copyright © 中信國際電訊(信息技術)有限公司 CITIC Telecom International CPC Limited
Täname Teid päringu eest.