Delta URL Bug Allowed Anyone to Access Anyone's Boarding Pass: Here's How (But It's Fixed Now)

Nicole Arce, Tech Times 18 December 2014, 02:12 am

Delta Airlines has quickly issued a fix to a recently discovered security hole in its system that allowed anyone to access any passenger's mobile boarding pass.

The flaw was first discovered by BuzzFeed intern and founder of Hackers for NY Dani Grant, who shared in a blog post that anyone can simply change a single digit in the boarding pass' URL to come up with someone else's boarding pass. Grant also says that the flaw is not limited to Delta Airlines, as changing URLs has allowed her to come up with a boarding pass for Southwest Airlines. This is most likely because airlines often share the same mobile boarding pass technology.

"After a possible issue with our mobile boarding passes was discovered late Monday, our IT teams quickly put a solution in place this morning to prevent it from occurring," says Delta Airlines spokesperson Paul Skrbec in a statement sent to BuzzFeed. "As our overall investigation of this issue continues, there has been no impact to flight safety, and at this time we are not aware of any compromised customer accounts."

Grant first discovered the security hole Monday night and immediately contacted Delta Airlines support team, which initially issued a generic response to her problem.

Because mobile boarding passes contain the passenger's full name and confirmation number, anyone with access to the boarding pass can use the information included in it to change the flight details, such as the seat number or the flight number. Additionally, the boarding passes do not require a passkey to open. Anyone who gets hold of the URL can open the boarding pass as if they are regular web pages.

The issue has been replicated by representatives from BuzzFeed and Mashable, who changed a single digit in a boarding pass URL and were able to obtain someone else's boarding pass. Representatives from Gizmodo, however, were unable to recreate the issue.

"It's luck of numbers," Grant tells Gizmodo. "Not every URL string corresponds to a valid boarding pass - if you keep changing digits you'll find one."

Southwest Airlines has issued a statement, saying that "the issue was immediately eliminated and we do not have reports of Southwest customers being impacted." The airlines also added that there are "several layers of security that would prohibit a passenger from using a boarding pass that did not belong to them."

Transportation Security Agency press secretary Ross Feinstein says checking of travel documents is only one step in aviation security and airline officers are trained to detect persons who are attempting to board a flight using fraudulent documents.