Home page logo

isn logo Information Security News mailing list archives

aa.com not encrypting customer transaction data
From: InfoSec News <isn () c4i org>
Date: Tue, 18 Sep 2001 03:03:30 -0500 (CDT)

Fowarded from: "Jay D. Dyson" <jdyson () treachery net>


Courtesy of Bugtraq.

It would appear that American Airlines' security problems aren't the
exception...they're the rule.

- ---------- Forwarded message ----------
Date: Mon, 17 Sep 2001 10:39:06 -0700
From: Chris Fairbourne <chris.fairbourne () camsystems com>
To: "'bugtraq () securityfocus com'" <bugtraq () securityfocus com>
Subject: aa.com not encrypting customer transaction data

Looks like aa.com (American Airlines) is NOT encrypting customer data for
purchasing e-tickets.
Hopefully this isn't still the case by the time this posts.
This hold true for both Advantage login and non-members as well.
At no time did I get a redirect to an SSL server for my session.

Taking a peek at the "Passenger Details" page source, no where do you find
"https" or ":443", hmm.
Next I make a phony submission and low and behold this is what I grabbed:
" f o r m % C I _ C r e d i t C a r d T o U s e _ C a
 r d N u m b e r "   v a l u e = " 4 3 2 3 5 0 1 9 8 3 5 1 9 9 9 9 "

I've made serveral phone calls to aa.com and generated a few e-mail. 
I can't convince them I'm wrong, so I bring it to this forum.


Chris Fairbourne
pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x371E73BB 
fingerprint: 7AE3DCC82215697A0C3F61C4968FCFDB371E73BB 

Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.


ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.

  By Date           By Thread  

Current thread:
  • aa.com not encrypting customer transaction data InfoSec News (Sep 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]