top | item 42347432

Tell HN: Alaska Airlines website exposes passenger data

65 points| JaakkoP | 1 year ago

TL;DR: Alaska exposes other customers names, record locators, flight information, phone numbers emails, and probably more. I could have canceled or changed these people's flights.

The first time it happened it appeared by seeing "Treat yourself, Samantha" in the website ad for upgrading yourself to Premium class. My name is not Samantha.

I clicked, and saw Samantha Lastname was traveling from Miami to Seattle. There was her phone number, record locator, ticket and mileage numbers, emails and other info. It also would have let me change or cancel her flights.

When I refreshed I got a new person. Trevor. He's going from JFK to SEA, and back to EWR.

I figured this wasn't one-off (yet still serious) bug, and called Alaska Support. They didn't believe me, but once I had rattled off the customer information I had in front of me and told them I'm none of these people, they transferred me to somewhere I thought was a higher up.

The higher-up person verified some information, asked no questions on how to replicate the bug, and asked me to log out and log back in. Once I did, the issue did not show up again. They said they'll send me 3,000 points for reporting. That sounded pretty low to me as it seemed like a serious data leak, but whatever.

I contemplated whether to post about this as I thought it would be interesting for the HN audience to see, but decided against it thinking I'll give Alaska time to fix it.

It's been 4 months now, and today this happened again. I saw an upgrade ad for Sally. Sally and Chris are traveling in the same reservation from Redmond, OR to Seattle in Main Preferred class. Knowing what I was looking at, I figured Alaska had done absolutely nothing to fix the issue.

I have a theory what's causing it as there's something specific that happened before both of these issues, but I'll refrain from posting it here so it's not as easy to exploit. Who knows what else the payload might include.

I took screenshots throughout the process, including some console logs, to document what I saw. I am sharing this here in the hope that the added visibility will finally push Alaska Airlines to address the issue.

44 comments

rootsudo|1 year ago

They have an ecomm team and info sec team but they’re pretty unwilling to fix this. They do agile but no one wants to own this, especially in December since they have change freezes and this will affect the yearly and monthly issues.

I would advise submitting this is the state of Washington and DOT federal and state.

Technically this is a data breach. Atg.wa.gov I would submit a data breach notification this will force them to actively fix it this month otherwise they will sit on it and push it off per agile sprint and do it when it’s convenient for the airline. Post holiday rush.

StressedDev|1 year ago

How do you know they are unwilling to fix this? My guess is it has not been fixed because the people who can fix the bug do not know it exists.

solardev|1 year ago

Support won't know what to do. Have you tried their cybersec form? https://www.alaskaair.com/content/about-us/site-info/report-...

JaakkoP|1 year ago

Thanks! Just did. I didn't think of it the first time given they escalated me to someone who then asked me to verify the information I had just told them over email. Maybe this will get their attention.

Neff|1 year ago

I have connections with people at Alaska. I will send this their way and hopefully someone will reach out. Make sure there is contact info in your bio

madaxe_again|1 year ago

Are you trying to get OP sent to prison?

madaxe_again|1 year ago

You need to be very, very careful about posting this, depending on your jurisdiction - in most western countries this disclosure is illegal, and you can be criminally prosecuted for providing information about accessing personal information, and you are also admitting that you knowingly accessed the personal information of other customers - in fact, airline passengers, who there are additional privacy laws for.

What you’ve done here is a criminal act according to the CFAA, and your exploration of their site could also be construed as wire fraud. As you’ve done this across state lines this is also a federal felony. You’re also in violation of the GLBA, as you’re disclosing the availability of airline customer information. You could also fall foul of the FTC and the wiretap act.

I have seen people (Weev, Michael Brown, numerous others) go to prison for similar, and this lot could win you years in a federal penitentiary.

Please, consider the legal consequences this could bring upon you.

I would simply forget about it and promptly delete this - it’s their problem, not yours, and by posting about it here, they could decide to make it your problem.

StressedDev|1 year ago

I am not a lawyer but this line of thinking does not make sense to me. First, poster did not post any personal information. Second, the poster responsibly disclosed the bug to Alaska Airlines but Alaska did not fix it. The poster is now publicly disclosing that the bug exists. Note that the poster did not include repo steps for the bug.

The bottom line is we need a mechanism to ensure security bugs are fixed. Publicly disclosing security bugs when an organization does not fix the bug is a good way to do this.

Note this practice started in the 1980s or early 1990s because software venders refused to fix security bugs. The full disclosure movement was created because security researchers wanted the bugs fix and publicly disclosing them was the only way to get some organizations to fix their security bugs.

rascul|1 year ago

They clicked an ad. What did they do that's illegal?

underdeserver|1 year ago

They have a bug. Serious one, yes, but they listened and gave you points for reporting it. Seems to me at least the support staff are trying (even if they aren't quite able to get it fixed).

solardev|1 year ago

I don't think it's realistic to expect airline support staff to know how to properly classify and route web vulnerabilities. Giving someone points is just a way to get them to go away so the ticket can be closed.

StressedDev|1 year ago

The OP can report the security problem by going to https://www.alaskaair.com/content/about-us/site-info/report-... . I think this is probably the best way to get Alaska Airlines to fix the problem.

usr1106|1 year ago

You did not read before commenting. OP had already done this: https://news.ycombinator.com/item?id=42347618

Not blaming you, we all do this. Just stating a fact.

Terr_|1 year ago

Perhaps some sort of UUID collision in terms of cookies/sessions?

solardev|1 year ago

Or perhaps a caching issue?

Dalewyn|1 year ago

>I'll refrain from posting it here so it's not as easy to exploit.

I commend your ethics, but I'm going to be straight with you: Alaska isn't going to do anything until tangible harm and damage occurs. The cost to address the problem is higher than the cost to just ignore it. Alaska probably won't think this even is a problem yet, for that matter.

If you still want to be an unwarranted gentleman, I would report this again but put a firm deadline to disclosure and say "No" is not an answer. Also have a lawyer handy if you choose to make this a problem for them.

StressedDev|1 year ago

I don't think this is fair. My guess is the person who found the bug did not report it to a person who knew how to handle a security bug report. My guess is the technical people at Alaska will fix the bug once they know it exists.

solardev|1 year ago

Do you have prior experience reporting to them, or why do you believe this to be the case?

(I'm not affiliated with them, just an occasional customer who's wondering if they have a bad reputation in this regard or something.)

solardev|1 year ago

OP did they ever write back?

ratg13|1 year ago

load balancer / caching issues

unknown|1 year ago

[deleted]