Delta Airlines and the TSA have been forced to issue hasty statements reassuring passengers about flight safety after a blogger discovered a security flaw which allowed her to view other peoples’ mobile boarding passes.
Dani Grant, who founded the Hackers of NY site, claimed that on Delta she was able to view other customers’ boarding passes simply by making minor alterations to the URL on her own, for example by changing one number.
Mobile boarding passes also came up for Southwest Airlines after a bit of URL altering, she added.
With the information on there, she could technically have been able to check in to someone else’s flight or change other details.
In reality, the flaw wouldn’t have allowed her to get past TSA inspectors as they would always check the boarding pass against a passenger’s ID.
However, she could theoretically have used her original to get through security and then altered the URL to board a different plane. The chances of that are pretty unlikely given the random nature of the URL tinkering, as the new plane would have to leave from the same airport and at around the same time/date to make this a practical reality.
Delta Airlines said it had fixed the issue by Tuesday.
“As our overall investigation of this issue continues, there has been no impact to flight safety, and at this time we are not aware of any compromised customer accounts,” a statement read.
A Transportation Security Administration statement had the following:
“Travel document checking is just one layer of TSA's defense for aviation security. Officers are trained to detect and potentially deter individuals who may attempt to board an aircraft with fraudulent documents.”
Rapid7 engineering manager, Todd Beardsley, argued that changing URL identifiers to access random data is a “classic information leak in web design.”
"The web application developer needs to be conscious of this issue when coming up with an identification scheme,” he added.
“That said, the experiment described is nearly exactly what Andrew 'weev' Auernheimer was prosecuted for for his 'hacking' of AT&T by changing an identifier embedded in a URL. Given the state of the CFAA today, I would urge Dani to not pursue this research any further without authorization from Delta."