Passengers who check in online before travelling could have their personal information stolen due to unencrypted links

Travellers often opt to use the online check-in service to print their boarding passes and speed up their travel time at the airport.

However, security researchers at Wandera revealed a vulnerability which could leave travellers open to being hacked.

According to their latest report, they confirm a number of airlines including Thomas Cook, Vueling and Air France are sending unencrypted check-in links to passengers.

The link then directs the passenger to the website to confirm their flight and print their boarding pass.

However, Wandera warn this can easily be intercepted with hackers able to log in and take any personal data if the "hacker is on the same network", such as when using public Wi-Fi.

They said in the report: "Once the vulnerable check-in link is accessed by the passenger, a hacker can easily intercept the credentials that allow access to the e-ticketing system, which contains all of the personally identifiable information (PII) associated with the airline booking."

This includes the passenger's name, email address, passport details, as well as flight details such as time, date and seat bookings.

The potential threat affects passengers because it would allow the hacker to change their mobile number or email associated with the flight, gaining access to personal details and making unauthorised changes.

The vulnerability was first discovered in December 2018, in which Wandera contacted all of the affected airlines to make them aware of the risk.

To avoid it happening, they advised the airlines to use encryption during the process as well as require user authentication before allowing the passenger to log in.

Passengers should also have security systems in place to block attacks by hackers on their devices.

A Thomas Cook Airlines spokeswoman told Sun Online Travel: "We take the security of our customers’ data very seriously and investigated this matter as a priority.

"We have looked into the questions raised and have taken immediate action to further increase the security of our customer data."

An Air France spokesperson told Sun Online Travel: "The Air France-KLM group's databases are monitored in real time to identify and prevent any fraudulent access. There has been no hacking of airlines group databases.

"An e-mail sent to the customers before their trip contains a link to the check-in process on the airlines' commercial websites.

"Fraudulent use of this link would under no circumstances allow access to data other than that of the current reservation. Customer profile information, including sensitive information such as bank details, is fully protected.

"IT teams are working to further enhance security on the link sent to customers as part of the check-in process. This update will be effective very soon."

A similar potential vulnerability was brought to light earlier this year by Safety Detective Research Lab, which saw British Airways and Qantas, among others, at risk.

Using booking platform Amadeus, the unencrypted links were sent to passengers which could easily be intercepted.

Sun Online Travel has contacted Wandera and Vueling for comment.

Source: Read Full Article