A Delta Airlines Security Flaw Lets You Check In To Flights As Other People

If you plan to fly Delta this holiday season, you may want to double check your boarding pass.

As one of my BuzzFeed colleagues recently discovered, a security vulnerability on Delta Airlines' website allows anyone with a valid boarding pass to access the boarding pass of another traveler, simply by switching the numbers in the URL.

To prove it, my colleague sent me the URL of an old Delta boarding pass, which looks like this:

After tweaking one number in the URL, I refreshed the page and found a new boarding pass — with the passenger's full information, including his frequent flyer number.

While playing around and testing different URLs, my colleague was able to find tickets for different airlines, like this Southwest boarding pass:

Because the boarding passes include the passenger's full name and confirmation number, anyone could ostensibly log in via the airline's website using this information and change seats or potentially even change the flight. Just as troubling, the boarding passes don't seem to be protected by any levels of security. My colleague was able to successfully send me her current boarding pass URL and I was never prompted to enter any information to access the page.

Concerned by this significant security failure, my colleague tried to contact Delta Airlines to inquire about the flaw. The airline responded but didn't address the flaw, or any plans to fix it.

BuzzFeed has also reached out to Delta Airlines about the flaw and will update with any forthcoming comment.