Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

BA website discloses passenger passport numbers and D.O.B.
From: Adam Laurie <adam.laurie () thebunker net>
Date: Wed, 03 May 2006 14:43:49 +0100

In January of this year I reported to British Airways that it was possible to recover arbitrary passengers' confidential information, including Date Of Birth and passport details, by simply matching a frequent flyer number to a surname when purchasing a ticket via their website. Since this information is printed on every boarding pass, any discarded passes can potentially provide an attacker with the information he needs to access the data via the website.

The problem exists because of the US Goverment's requirement for airlines to provide Advance Passenger Information for all passengers destined for their shores. It is left to the airlines themselves to administer the data collection systems, and, therefore, to make their own mistakes in the security systems that control access to that data. The more airlines that implement these systems, the more potential security holes will exist.

Full story here:

  http://www.guardian.co.uk/g2/story/0,,1766138,00.html

cheers,
Adam
--
Adam Laurie                         Tel: +44 (0) 1304 814800
The Bunker Secure Hosting Ltd.      Fax: +44 (0) 1304 814899
Ash Radar Station                   http://www.thebunker.net
Marshborough Road
Sandwich                            mailto:adam () thebunker net
Kent
CT13 0PL
UNITED KINGDOM                      PGP key on keyservers

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • BA website discloses passenger passport numbers and D.O.B. Adam Laurie (May 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]