Poor security at Thomas Cook airlines leads to simple extraction of fliers’ personal data

Bad news if your partner doesn't know who you took on that 'business trip'...

Poor security at Thomas Cook airlines leads to simple extraction of fliers' personal data

Thousands of holidaymakers relying upon Thomas Cook Airlines to get them to their vacation may have had their personal information put at risk due to sloppy security.

Roy Solberg, a programmer in Norway, discovered that it was possible to retrieve the following information from Thomas Cook Airlines’ systems using only a booking reference number:

  • Full name of all travelers on that booking
  • Email address of person registering the booking
  • Departure:
    • Date
    • Airport
    • Flight number
  • Return:
    • Date
    • Airport
    • Flight number

Solberg discovered that trips booked through the travel agency Ving, whose parent company is Thomas Cook, are assigned incremental booking reference numbers. In other words, you can reach other customers’ details simply by subtracting or incrementing the reference number in a URL.

This is known as an Insecure Direct Object Reference (IDOR) and is not only a commonly-encountered problems on poorly-designed web applications, but also easy for an attacker to exploit.

In his tests, Solberg says that he was able to use the technique to see details of trips as far back as 2013, through to 2019. The bug finder believes that he could easily have written a computer program to loop through possible booking reference numbers and extract the personal details of most customers and their trips.

Solberg says that data of bookings made with Thomas Cook Airlines through Ving Norway, Ving Sweden, Spies Denmark and Apollo Norway were affected by the vulnerability, but it seems perfectly plausible that other sites may be similarly impacted.

Aside from other privacy concerns (airlines will not normally confirm who is booked on what flight) such information could also be used in targeted phishing attacks claiming to come from a travel operator.

And if there’s more than one person travelling on the same booking, they would be visible too.

Which, as Solberg explains, is potentially another concern for those wishing to keep the details of their trip private:

Some people might not like that you can see who they travelled with on vacation maybe 5 years ago. (‘Didn’t you say you were going to that job conference in Stockholm? And who is this you were travelling with?’)”

Solberg details on his blog how difficult it was to receive a timely response from Thomas Cook Airlines about the security vulnerability, although he does note that it has now been resolved.

Of course, we have little way of knowing if anyone exploited the security vulnerability in the past five-or-so years.

Tags: , , , ,

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , ,

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.