If you plan to fly Delta this holiday season, you may want to double check your boarding pass.
As one of my BuzzFeed colleagues recently discovered, a security vulnerability on Delta Airlines’ website allows anyone with a valid boarding pass to access the boarding pass of another traveler, simply by switching the numbers in the URL.
To prove it, my colleague sent me the URL of an old Delta boarding pass, which looks like this:
After tweaking one number in the URL, I refreshed the page and found a new boarding pass — with the passenger’s full information, including his frequent flyer number.
While playing around and testing different URLs, my colleague was able to find tickets for different airlines, like this Southwest boarding pass:
Because the boarding passes include the passenger’s full name and confirmation number, anyone could ostensibly log in via the airline’s website using this information and change seats or potentially even change the flight. Just as troubling, the boarding passes don’t seem to be protected by any levels of security. My colleague was able to successfully send me her current boarding pass URL and I was never prompted to enter any information to access the page.
Concerned by this significant security failure, my colleague tried to contact Delta Airlines to inquire about the flaw. The airline responded but didn’t address the flaw, or any plans to fix it.
BuzzFeed has also reached out to Delta Airlines about the flaw and will update with any forthcoming comment.
A spokesman for Delta, Paul Skrbec, sent an official statement to BuzzFeed News:
“Security is a top priority for Delta, and we employ multiple levels of it throughout the travel process. After a possible issue with our mobile boarding passes was discovered late Monday, our IT teams quickly put a solution in place this morning to prevent it from occurring.
As our overall investigation of this issue continues, there has been no impact to flight safety, and at this time we are not aware of any compromised customer accounts.
We routinely monitor and perform analysis of data to ensure privacy for our customers. We apologize for any concern this may have caused.”
- More than 90 people have died in Indonesia's earthquake, officials say. Thousands of rescuers are being deployed to the hit area.
- Fake news fools most Americans who read it — and Facebook is a major source, a BuzzFeed News survey has found 📰❌
- A refrigerator is being eyed as the possible origin of the fire at an Oakland warehouse party that killed 36 people, a law enforcement official said.
- An adorable 3-year-old boy proudly covered his kitchen with carrots in the greatest carrot heist of all time 😂👏