United Revealed Full Flight Passenger Lists On Website

Security researcher looking for a flight late at night stumbles upon a
bug in United’s website that shows anyone who asks who will be on a particular flight. (Nothing like trusting a massive airline to keep your data safe.) The problem appears to have been in an invalid web session the researcher was using.

United’s since fixed the problem, but think for a sec about what someone might do with this exploit — running it slowly but repeatedly would let an attacker get lists of everyone on every United flight, in real time. As someone who managed to travel a fair bit, the idea of the whole world seeing I’ll be on a particular flight is a bit disquieting.

(In that respect, the anonymity of train travel is far superior — buy a ticket in cash and no worries. That said, if you do ever travel Amtrak, take my word for it and avoid the restaurant.* Much better to pick up your own non-perishable food at a grocery store before your trip.)

* I’m reminded of an old anecdote. At a European conference with a guy who happened to have a background as a food-service engineer, the guy pointed at the display case temperature readout at the fast-food stand we were about to order from. His comment was something on the order of “Don’t eat anything from that case. Nobody else here will know this, but at that temperature the first sign of a problem will be an ambulance.”


“In this case, it was a late night and I was trying to buy a last-minute flight, shopping around to get a reasonable price. I had several tabs open to various airlines, and was searching on and off for a few hours. I finally made a decision and decided to purchase a ticket from United Airlines.

I picked a seat and was presented with a page to enter my info for the TSA (pretty standard these days). United had recently updated their site’s interface and had a dropdown to select saved passengers. I clicked the dropdown and was surprised to see a large number of names, none of which were mine. I looked down the list, noticing patterns in people with the same last name, and realized what I was likely looking at: the passenger manifest for the flight.

Kind of scary, and nothing I had any business looking at. This was something that I ran into completely organically, no shenanigans or security testing on my part (we need approval from a site’s owner to run most security testing, and I’m not going to go out and violate wire fraud laws).

As serendipity would have it, a help widget popped up on the page, likely because I wasn’t moving forward in the purchasing process. I dutifully called United to report the problem. Emulating my account they weren’t able to reproduce the issue. I still could, and several parts of the site like the account management page were completely broken and displaying “None” for all of the values. Finally giving up and logging out, everything was back to normal. Hmmm.

So what was going on?

I don’t have direct access to United’s code, but I think that my session (likely invalid) was part of the problem, since logging out seemed to solve the problem. Sessions, especially long-lived ones, can be tricky to manage. If my session was broken, I should have been issued a new one or in the worst case (from a UX perspective) lost my progress and had to log in again. Instead, it defaulted to showing me things that didn’t belong to me. Some list was probably supposed to be filtered by the user in the session, and since my user was now unset or invalid nothing got filtered out. Just some educated guessing here but it illustrates a situation where an invalid session leads to a lot of private information getting leaked.”


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: