If you plan to fly Delta this holiday season, you may want to double check your boarding pass.
As one of my BuzzFeed colleagues recently discovered, a security vulnerability on Delta Airlines’ website allows anyone with a valid boarding pass to access the boarding pass of another traveler, simply by switching the numbers in the URL.
To prove it, my colleague sent me the URL of an old Delta boarding pass, which looks like this:
After tweaking one number in the URL, I refreshed the page and found a new boarding pass — with the passenger’s full information, including his frequent flyer number.
While playing around and testing different URLs, my colleague was able to find tickets for different airlines, like this Southwest boarding pass:
Because the boarding passes include the passenger’s full name and confirmation number, anyone could ostensibly log in via the airline’s website using this information and change seats or potentially even change the flight. Just as troubling, the boarding passes don’t seem to be protected by any levels of security. My colleague was able to successfully send me her current boarding pass URL and I was never prompted to enter any information to access the page.
Concerned by this significant security failure, my colleague tried to contact Delta Airlines to inquire about the flaw. The airline responded but didn’t address the flaw, or any plans to fix it.
BuzzFeed has also reached out to Delta Airlines about the flaw and will update with any forthcoming comment.
A spokesman for Delta, Paul Skrbec, sent an official statement to BuzzFeed News:
“Security is a top priority for Delta, and we employ multiple levels of it throughout the travel process. After a possible issue with our mobile boarding passes was discovered late Monday, our IT teams quickly put a solution in place this morning to prevent it from occurring.
As our overall investigation of this issue continues, there has been no impact to flight safety, and at this time we are not aware of any compromised customer accounts.
We routinely monitor and perform analysis of data to ensure privacy for our customers. We apologize for any concern this may have caused.”
- The Army Corps of Engineers and North Dakota police have ordered protesters to leave the Dakota Access Pipeline site by this afternoon or face arrest.
- Immigrants are worried two government memos are laying the groundwork for the deportation force Trump promised on the campaign trail.
- A US federal judge ruled that Texas can't cut Planned Parenthood out of its Medicaid program.
- Yalla! You can now download a new Arab emoji keyboard that includes a belly dancer, Oman Chips, and more 👏