Bad news for Air France-KLM a few days before the end of year holidays. It seems that the aviation company has been a little lax in its measures to secure the data of its passengers.
A little link that’s easy to guess and it’s your personal data that ends up in nature. According to an investigation carried out by the NOS (the Dutch public broadcasting organization) and a cybersecurity specialist, Air France-KLM allegedly used flawed data protection methods to hide telephone numbers, email addresses and certain passport numbers. belonging to the company’s customers. The blow is particularly hard for the airline which had already suffered a hack earlier in the year.
6 numbers that are not enough
The investigation carried out by the NOS mainly concerns KLM, but specifies that the data of Air France customers is also concerned. To date, KLM has not specified the scale or seriousness of the attack, or even whether the personal information of passengers was indeed consulted by a malicious actor. The company assures, however, that the flaw is no longer exploitable.
The problem identified by the NOS came from the SMS sent to passengers who had purchased a ticket from the company. The latter contained a link allowing access to his flight information. Problem, the links were only 6 characters long. It was therefore relatively easy for a machine to try thousands of combinations in the hope of coming across a page containing the private data of a third party.
As the Dutch public broadcasting organization explains “ every 100 to 200 attempts resulted in a valid link, meaning many customers’ flight links must have been accessible. » All links fortunately did not hide any personal information. KLM did not wish to communicate on the number of valid links publicly accessible on the web, contenting itself with saying that the messages containing these links were not sent ” only a small percentage of customers “.
284 million potentially valid links
According to NOS calculations, “ Approximately 0.5 to 1.5% of the links tested were found to work. “. Of the 57 billion possible 6-digit combinations, if 0.5% of the links hid flight information, that’s 284 million potentially valid combinations. In just a few hours, NOS managed to unearth more than 900 links containing flight information or personal passenger information.
The numerous access attempts made by the NOS fortunately set off alarm bells at KLM, which deployed a team to correct the problem. From now on, it is necessary to log in to access your flight information. Unfortunately, even with the deployment of this fix, the situation is not ideal.
Security through obscurity
“ The NOS made no effort to go unnoticed. A malicious actor could very well have constantly changed their IP address to stay under the radar », Explains the public channel. Even with the hammering launched by the NOS, it took KLM 5 hours to block the IP addresses behind the “attack”.
SI KLM explains that it does not want to give more information on the subject so as not to reveal “ details of its security policy “, it is still worrying to see that personal information was freely accessible on the web for anyone who knew where to look. Even if passport numbers, highly sensitive data, were not always present on flight records, the email address, telephone number and information concerning the journey already constitute an invaluable treasure for hackers with ill intentions.
This data is more than enough to create convincing and hyper-targeted phishing campaigns. So be careful in the coming weeks if you receive any suspicious emails from airlines.
Source: NOS
0