A Premium Baggage Service’s Web Bugs Uncovered the Journey Plans of Each Consumer—Together with Diplomats

An airline leaving all of its passengers’ journey information weak to hackers would make a sexy goal for espionage. Less apparent, however maybe much more helpful for these spies, could be entry to a premium journey service that spans 10 completely different airways, left its personal detailed flight data accessible to information thieves, and appears to be favored by worldwide diplomats.

That’s what one staff of cybersecurity researchers discovered within the type of Airportr, a UK-based baggage service that companions with airways to let its largely UK- and Europe-based customers pay to have their luggage picked up, checked, and delivered to their vacation spot. Researchers on the agency CyberX9 discovered that easy bugs in Airportr’s web site allowed them to entry just about all of these customers’ private data, together with journey plans, and even achieve administrator privileges that will have allowed a hacker to redirect or steal baggage in transit. Among even the small pattern of consumer information that the researchers reviewed and shared with WIRED they discovered what look like the private data and journey information of a number of authorities officers and diplomats from the UK, Switzerland, and the US.

“Anyone would have been able to gain or might have gained absolute super-admin access to all the operations and data of this company,” says Himanshu Pathak, CyberX9’s founder and CEO. “The vulnerabilities resulted in complete confidential private information exposure of all airline customers in all countries who used the service of this company, including full control over all the bookings and baggage. Because once you are the super-admin of their most sensitive systems, you have have the ability to do anything.”

Airportr’s CEO Randel Darby confirmed CyberX9’s findings in a written statement provided to WIRED but noted that Airportr had fixed the vulnerabilities a few days after the researchers made the company aware of the issues last April. “The data was accessed solely by the ethical hackers for the purpose of recommending improvements to Airportr’s security, and our prompt response and mitigation ensured no further risk,” Darby wrote in a statement. “We take our responsibilities to protect customer data very seriously.”

CyberX9’s researchers, for their part, counter that the simplicity of the vulnerabilities they found mean that there’s no guarantee other hackers didn’t access Airportr’s data first. They found that a relatively basic web vulnerability allowed them to change the password of any user to gain access to their account if they had just the user’s email address—and they were also able to brute-force guess email addresses with no rate limitations on the site. As a result, they could access data including all customers’ names, phone numbers, home addresses, detailed travel plans and history, airline tickets, boarding passes and flight details, passport images, and signatures.

By gaining access to an administrator account, CyberX9’s researchers say, a hacker could also have used the vulnerabilities it found to redirect luggage, steal luggage, or even cancel flights on airline websites by using Airportr’s data to gain access to customer accounts on those sites. The researchers say they could also have used their access to send emails and text messages as Airportr, a potential phishing risk. Airportr tells WIRED that it has 92,000 users and claims on its web site that it has dealt with greater than 800,000 luggage for purchasers.