Lack of data protection – Serious security gap in the cinema ticket platform – Kassensturz Espresso


Contents

Thousands of customer data from cinemas in Zurich and Lucerne were affected, as research by “Kassensturz” shows.

Author:

The notice reached “Kassensturz” in April. The joint online ticketing system of several cinemas in Zurich and Lucerne has a serious security gap: customer data could be downloaded and even deleted, writes the anonymous person who claims to work in IT security. They would have found the gap as a couple, after work.

Legend:

The IT expert shows the editor the serious security gap.

SRF

Shortly thereafter, the first confidential meeting took place between the whistleblower, an IT security expert, and the “Kassensturz” editor, who wanted to see proof that the whistleblower actually had access to customer data.

We could have reset passwords and deleted accounts.

To the editor’s surprise, he is shown his own account, surname, first name, e-mail address and other dozens of data from visitors to the Zurich cinemas Riffraff, Houdini, the five arthouse cinemas and the Bourbaki in Lucerne.

Access to movie ticket balances

In many cases, the exact dates of the individual cinema visits can be viewed with the film, date, time and seat number. “We were very surprised that we found the gap within 90 minutes. We then tested how the server responds when we send requests to it. The result was that the server answered all questions. We could have reset passwords and deleted accounts.” According to the source, they have access to all customer data, “there are thousands of data at stake here”.

The hackers also have access to the credit on cinema tickets, as a test with the Kassensturz editor’s cinema ticket shows: They could easily buy tickets with their credit.

The IT experts became aware of the online ticket page because it appeared not to be up to date. The security gap is serious, confirms the renowned IT security expert Marc Ruef: “This customer data has value and can be traded. There are people who want to buy them. A classic goal is to do very specific phishing: to send people very personalized emails and then ask, for example, whether they will give out passwords or payment information.”

We understand that this vulnerability needs to be reported.

The two IT experts who discovered the vulnerability did not turn to Neugass Kino AG, which operates the ticket site, but to the “Kassensturz”: “It is clear to us that this vulnerability must be reported. However, it happens again and again that the companies concerned threaten to report them. That’s why we decided to turn to the ‘Kassensturz’ to have some protection.”

According to that National Center for Cybersecurity is the golden rule, to inform the vendor or the system owner directly about the vulnerability. However, the discovery and reporting of vulnerabilities can civil and criminal consequences have.

Statement Res Kessler, Managing Director Neugass Kino AG


open box
close the box

  • To classify the risk potential, it should be noted that access to data always harbors the potential for misuse. However, detecting the vulnerability required a high level of expertise. The available user data became potentially accessible through the intrusion. However, it was not possible to directly or easily obtain this data. The intrusion into the online ticketing system was targeted and planned, very laborious and required the execution of multiple queries, including a sophisticated trial-and-error approach.
  • Unfortunately, we were only made aware of the security gap when “Kassensturz” contacted us. However, we wish the anonymous security researchers had contacted us directly, as is standard in the industry, through the security.txt file that appears on every website we run.
  • As part of a system update, we conducted and successfully completed a full security audit of the application and related services in collaboration with a company specialized in such cases. This eliminated the risk of further vulnerabilities.
  • The examination of the log files did not reveal any abuse. This means that no damage has been caused and no further measures are necessary for our customers.

Confronted with the security gap, the managing director of Neugass Kino AG, Res Kessler, replies that he is grateful for the anonymous IT security experts’ tip. However, Neugass Kino AG would have liked the whistleblowers to contact us directly, “as is usual in the industry, instead of taking the detour via the media”. According to Res Kessler, the vulnerability was “closed within hours and cannot reoccur”.

source site-72