Poor security at Thomas Cook airlines leads to simple extraction of fliers’ personal data

Graham Cluley

Poor security at Thomas Cook airlines leads to simple extraction of fliers' personal data

Poor security at Thomas Cook airlines leads to simple extraction of fliers' personal data

Thousands of holidaymakers relying upon Thomas Cook Airlines to get them to their vacation may have had their personal information put at risk due to sloppy security.

Roy Solberg, a programmer in Norway, discovered that it was possible to retrieve the following information from Thomas Cook Airlines’ systems using only a booking reference number:

  • Full name of all travelers on that booking
  • Email address of person registering the booking
  • Departure:
    • Date
    • Airport
    • Flight number
  • Return:
    • Date
    • Airport
    • Flight number

Solberg discovered that trips booked through the travel agency Ving, whose parent company is Thomas Cook, are assigned incremental booking reference numbers. In other words, you can reach other customers’ details simply by subtracting or incrementing the reference number in a URL.

This is known as an Insecure Direct Object Reference (IDOR) and is not only a commonly-encountered problems on poorly-designed web applications, but also easy for an attacker to exploit.

In his tests, Solberg says that he was able to use the technique to see details of trips as far back as 2013, through to 2019. The bug finder believes that he could easily have written a computer program to loop through possible booking reference numbers and extract the personal details of most customers and their trips.

Solberg says that data of bookings made with Thomas Cook Airlines through Ving Norway, Ving Sweden, Spies Denmark and Apollo Norway were affected by the vulnerability, but it seems perfectly plausible that other sites may be similarly impacted.

Aside from other privacy concerns (airlines will not normally confirm who is booked on what flight) such information could also be used in targeted phishing attacks claiming to come from a travel operator.

And if there’s more than one person travelling on the same booking, they would be visible too.

Which, as Solberg explains, is potentially another concern for those wishing to keep the details of their trip private:

“Some people might not like that you can see who they travelled with on vacation maybe 5 years ago. (‘Didn’t you say you were going to that job conference in Stockholm? And who is this you were travelling with?’)”

Solberg details on his blog how difficult it was to receive a timely response from Thomas Cook Airlines about the security vulnerability, although he does note that it has now been resolved.

Of course, we have little way of knowing if anyone exploited the security vulnerability in the past five-or-so years.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES