Airline Emirates 'leaking customers' sensitive data'

Downright dangerous
Downright dangerous

Dubai-based international airline Emirates is leaking its customers' sensitive personal data to third-party marketing partners.

This was discovered by Konark Modi, a data security engineer for Cliqz, who explained in post last Friday, how he was booking tickets for his family through the Emirates Web site when he noticed a few things that raised red flags. He said when booking a flight through Emirates, domestic or international, there are approximately 300 data points related to the booking.

This data is then compiled for the customer on a personalised 'Manage Preferences' page that is e-mailed to the customer once the flight is booked. However, Modi found that the URL of that page - and the data points it contained - were also being shared with "approximately 14 different third-party trackers like Crazy egg, Boxever, Coremetrics, Google, and Facebook among others".

The data includes customer name, customer e-mail, itinerary, phone number, passport number and other details.

Insecure protocol

Even more alarming is the the URL included in Modi's e-mail did not use secure HTTPS protocol, only HTTP protocol which is not only incredibly insecure compared with HTTPS, it can make supposedly "private" Web pages accessible to hackers and other cyber criminals.

Modi said: "This isn't just obnoxious: it's downright dangerous. Anyone who has access to these links can not only read but also edit the information that I as a user can. That includes changing or cancelling the flight, checking out your passport information, changing your seat or meal preference and more."

Full denial

Following Modi's disclosure, Emirates responded with a statement. "We are aware of the article posted by Mr Konark Modi on 2 March 2018. We take all claims of security or privacy breaches seriously and have conducted a thorough review of our sites and systems. We can confirm that none of the security vulnerabilities highlighted in Mr Modi's article will allow a breach (unauthorised access) of personal data on our Web site or mobile app.

"Whilst we do use a number of third party analytical tools on our sites for the purpose of improving the online browsing experience, we continually review how these are implemented. The depiction in Mr Modi's article as to what data is being shared, or customer choice in 'opting out' is inaccurate. We are committed to protecting the privacy of our customer's personal data. Customers can find out more about how we use personal data and how they can opt out by reading our privacy policy on emirates.com."

'Vague and incorrect'

According to Modi, the statement is not only vague?, ?it is factually incorrect. He explained that with Emirates, any changes to an existing booking can be made with only two data points - a booking reference number and a last name. This is standard for most airlines, however in this case, these two data points are being sent to the third-parties named by Modi.

Next, he says the security of HTTPS has been well-established, but Emirates is still using the insecure HTTP protocol that makes links vulnerable to man-in-the-middle attacks and can be injected by malicious data.

Moreover, he points out that Emirates' Privacy & Cookie Policy doesn't list all the third-parties named and the information being shared with them, and the opt-out options processes are tedious and cumbersome.

"Even if the user somehow manages to opt-out of all the trackers using the methods listed and not listed, Emirates will still leak the booking reference and last name which is enough to access all other sensitive information because the implementation of these third-party services on Emirates.com is flawed," concluded Modi.

Little to no encryption

Following Modi's revelations, Web security company High-Tech Bridge checked the airlines' Web site on its free SSL/TSL Security Test and found that the majority of emirates.com subdomains - including reservations - have very weak encryption or no encryption at all.

High-Tech Bridge's CEO, Ilia Kolochenko, said SSL/TSL is one of the main pillars of Internet security, assuring confidentiality and data integrity of data of millions of users every minute.

"High-Tech Bridge launched its free SSL/TLS Security Testing service back in October 2015, enabling the test of any server or service working over SSL-encrypted protocol, including HTTPS, POP3S, IMAP3, SMTPS, LDAPS, FTPS, and more. Since then it has been used to test over 6.18 million servers worldwide."

Have your say
Youtube play icon