URL LOL: Delta splats web flight boarding pass snoop bug

Delta Airlines techies have fixed a flaw in the biz’s paperless boarding pass system that allowed a hacker to access information on strangers’ flights.

The security vulnerability is down to the URLs used by Delta’s website to serve digital copies of boarding passes to smartphones. These passes appear as QR codes which are scanned at the gate.


By playing about with number and letter combinations in the URL, Dani Grant, founder of Hackers of NY, found she could flick through strangers’ boarding passes, even hopping between airlines, revealing names, destinations, times and other info useful for miscreants.

“The strike rate was high enough that I could spend a minute or two manually trying URLs and find something. Imagine how quickly a script could grab active passes,” Grant told The Register.

The case highlights a worrying lack of security in Delta’s IT systems. URL twiddling is one of the oldest tricks in hacking play-books – until most companies got wise to it a decade or so ago. It’s disappointing that boarding pass code can be fooled so easily.

When Grant contacted Delta she got the following response:


Delta response to security flaw

“I haven’t heard from anyone else at the airline since. In their email to me, they ended with ‘You share, we care.’ So I shared,” she said.

“Security is a top priority for Delta, and we employ multiple levels of it throughout the travel process. After a possible issue with our mobile boarding passes was discovered late Monday, our IT teams quickly put a solution in place Tuesday morning to prevent it from occurring,” a Delta spokesperson told The Register.

“As our overall investigation of this issue continues, there has been no impact to flight safety, and at this time we are not aware of any compromised customer accounts.” We routinely monitor and perform analysis of data to ensure privacy for our customers. We apologize for any concern this may have caused.”

Grant couldn’t choose what kind of boarding pass the URL jiggering would offer up, and anyone trying this would have to be very lucky to get on a flight with a stranger’s pass. Boarding passes are checked against ID for a start, and even if someone got through with a swiped QR code they’d almost certainly find another person vying for the same seat, and get caught before the aircraft left the terminal.

Even before that, having two people try and check in for the same seat would set off an alarm you’d hope, but TSA security audits are few and far-between.

Delta has now fixed the issue, but the case highlights whether the billions spent each year on security theater at US airports is being directed in the right areas. ®

Sponsored:
Today’s most dangerous security threats

Leave a Reply

Your email address will not be published. Required fields are marked *