Security vulnerabilities in part of British Airways’ online check-in process have been uncovered by a UK-based cybersecurity firm.
According to researchers at Wandera, vulnerable check-in links being sent via email can be easily intercepted by hackers, allowing them to alter flight booking details or even view personal information belonging to passengers.
Other forms of sensitive information that could be revealed by the security flaw include passenger names, email addresses, booking reference, seat number, flight times and phone numbers, researchers claimed.
The news of this security vulnerability follows a tumultuous week for the airline. A major IT outage last week led to nearly 300 flights being delayed or cancelled at two of the UK’s busiest airports – Heathrow and Gatwick.
British Airways was also fined £183 million for breaching GDPR last month by the Information Commissioner’s Office.
- Scottish cybersecurity firm uncovers serious flaw in boarding pass security
- Russian hackers flog thousands of British Airways customer details
- British Airways facing £183 million fine over data breach
In a blog post on the company website, researchers explained: “Our threat researchers discovered that the vulnerable check-in links are being sent by British Airways to their passengers via email.
“In an effort to streamline the user experience, passenger details are included in the URL parameters that direct the passenger from the email to the British Airways website, where they are logged in automatically so they can view their itinerary and check-in for their flight.”
A lack of encryption, the team said, means that an individual snooping on the same public WiFi network can easily intercept the link request.
This particular security flaw was discovered in July after some accessed British Airways’ e-ticketing system from its network.
It was at that time that Wandera notified the airline of the vulnerable link, according to the researchers.
The company recommends that airlines should adopt encryption throughout the check-in process to prevent similar issues occurring, and encouraged users to have an “active mobile security service” deployed to monitor and block potential attacks.
Additionally, the researchers recommended: “Airlines should require explicit user authentication for all steps where PII (personally identifiable information) is accessible, and especially when it is editable.”
Earlier this year, Wandera uncovered similar flaws in eight major airlines, including Southwest, KLM, Air France, Jetstar, Thomas Cook, Vueling, Air Europa and Transavia.