Information Security News
mailing list archives
aa.com not encrypting customer transaction data
From: InfoSec News <isn () c4i org>
Date: Tue, 18 Sep 2001 03:03:30 -0500 (CDT)
Fowarded from: "Jay D. Dyson" <jdyson () treachery net>
-----BEGIN PGP SIGNED MESSAGE-----
Courtesy of Bugtraq.
It would appear that American Airlines' security problems aren't the
exception...they're the rule.
- ---------- Forwarded message ----------
Date: Mon, 17 Sep 2001 10:39:06 -0700
From: Chris Fairbourne <chris.fairbourne () camsystems com>
To: "'bugtraq () securityfocus com'" <bugtraq () securityfocus com>
Subject: aa.com not encrypting customer transaction data
Looks like aa.com (American Airlines) is NOT encrypting customer data for
Hopefully this isn't still the case by the time this posts.
This hold true for both Advantage login and non-members as well.
At no time did I get a redirect to an SSL server for my session.
Taking a peek at the "Passenger Details" page source, no where do you find
"https" or ":443", hmm.
Next I make a phony submission and low and behold this is what I grabbed:
" f o r m % C I _ C r e d i t C a r d T o U s e _ C a
r d N u m b e r " v a l u e = " 4 3 2 3 5 0 1 9 8 3 5 1 9 9 9 9 "
I've made serveral phone calls to aa.com and generated a few e-mail.
I can't convince them I'm wrong, so I bring it to this forum.
-----BEGIN PGP SIGNATURE-----
Comment: See http://www.treachery.net/~jdyson/ for current keys.
-----END PGP SIGNATURE-----
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
- aa.com not encrypting customer transaction data InfoSec News (Sep 18)