Contents
Thousands of customer data from cinemas in Zurich and Lucerne were affected, as research by “Kassensturz” shows.
The notice reached “Kassensturz” in April. The joint online ticketing system of several cinemas in Zurich and Lucerne has a serious security gap: customer data could be downloaded and even deleted, writes the anonymous person who claims to work in IT security. They would have found the gap as a couple, after work.
Shortly thereafter, the first confidential meeting took place between the whistleblower, an IT security expert, and the “Kassensturz” editor, who wanted to see proof that the whistleblower actually had access to customer data.
We could have reset passwords and deleted accounts.
To the editor’s surprise, he is shown his own account, surname, first name, e-mail address and other dozens of data from visitors to the Zurich cinemas Riffraff, Houdini, the five arthouse cinemas and the Bourbaki in Lucerne.
Access to movie ticket balances
In many cases, the exact dates of the individual cinema visits can be viewed with the film, date, time and seat number. “We were very surprised that we found the gap within 90 minutes. We then tested how the server responds when we send requests to it. The result was that the server answered all questions. We could have reset passwords and deleted accounts.” According to the source, they have access to all customer data, “there are thousands of data at stake here”.
The hackers also have access to the credit on cinema tickets, as a test with the Kassensturz editor’s cinema ticket shows: They could easily buy tickets with their credit.
The IT experts became aware of the online ticket page because it appeared not to be up to date. The security gap is serious, confirms the renowned IT security expert Marc Ruef: “This customer data has value and can be traded. There are people who want to buy them. A classic goal is to do very specific phishing: to send people very personalized emails and then ask, for example, whether they will give out passwords or payment information.”
We understand that this vulnerability needs to be reported.
The two IT experts who discovered the vulnerability did not turn to Neugass Kino AG, which operates the ticket site, but to the “Kassensturz”: “It is clear to us that this vulnerability must be reported. However, it happens again and again that the companies concerned threaten to report them. That’s why we decided to turn to the ‘Kassensturz’ to have some protection.”
According to that National Center for Cybersecurity is the golden rule, to inform the vendor or the system owner directly about the vulnerability. However, the discovery and reporting of vulnerabilities can civil and criminal consequences have.
Confronted with the security gap, the managing director of Neugass Kino AG, Res Kessler, replies that he is grateful for the anonymous IT security experts’ tip. However, Neugass Kino AG would have liked the whistleblowers to contact us directly, “as is usual in the industry, instead of taking the detour via the media”. According to Res Kessler, the vulnerability was “closed within hours and cannot reoccur”.