A flaw in Thomas Cook Airlines’ systems allowed customers’ information to be accessed with only their booking number.
Norwegian programmer Roy Solberg discovered an Insecure Direct Object Reference (IDOR) on the company’s website which allowed unauthorised access to the full name, email address and flight details of all travellers on a flight. Users checking their own details only had to change the booking reference number in order to view the details of any other passenger.
Solberg wrote that links from Thomas Cook Airlines emails to their domain airshoppen.com were click registration URLs which also contained a redirect URL, following the pattern:
https://no.airshoppen.com/autologin?ReturnUrl=/oppgrader-flyreisen-din&bookingNo=<integer booking number>&tourOperatorTag=<short name tour operator>&depDate=<departure date>&<some UTM parameters>
By editing these details, other customers’ information could be accessed. He also found that the booking date had an error margin of +/- one day, likely to account for timezone differences, which brought the number of dates a hacker would need to guess down to 120 per year. Given that Ving’s booking numbers appear to be incremental integers, one would expect sequential booking numbers to have similar departure dates (within the year at least). This information would significantly reduce the difficulty of accessing other people’s information.
He then found that once logged in, sending the call
curl 'https://no.airshoppen.com/Account/SelectPassenger' \ --data 'SignInModel.SelectedTourOperatorTag=<short name tour operator> &SignInModel.BookingNo=<booking number>'
would return personal information, simplifying the access process further.
The information which could be accessed in this way covered trips booked through Thomas Cook subsidiary Ving, a travel agency. Solberg did not trawl extensively through the data, but did find that the earliest accessible data was for a departure in 2013, and the latest was for 2019. Extrapolating from this information, he estimates that tens of thousands of records could be accessed in this way.
Testing the vulnerability with booking numbers supplied by friends and family – and some publicly searchable on Google – Solberg found that it was possible to access data for customers travelling with Ving Norway, Ving Sweden and Spies Denmark using only the booking number. He was also able to access records for Apollo Norway customers, but because this company’s booking numbers are not ‘easily guessable’ – i.e. not incremental – he was unable to access other customers’ records using this exploit.
He also pointed out that airshoppen.com handles many travel companies from throughout Europe, and that he “would expect at least some of them to be vulnerable through this leak”.
After discovering the vulnerability, Solberg contacted airshoppen.com via a web form to disclose it, but did not hear back apart from an automated reply email. He then proceeded to contact Ving, which told him the issue would be passed on to Thomas Cook. Over the next week or so several conversations with representatives from both Ving and Thomas Cook proved fruitless, as he was told multiple times that the hack he was describing was not possible, following which Ving and Thomas Cook cut off contact.
However, when he checked the site two weeks after discovering the flaw (13 days after reporting it), the issue had been fixed. He received an email from Thomas Cook the next day verifying that they had identified and fixed the vulnerability, and saying that they would continue working to improve security. He later received a phone call from another Thomas Cook representative thanking him for reporting the issue and apologising for the lack of contact.
Although Solberg says that he felt reassured after the phone call that Thomas Cook was taking the issue seriously, the company says it is not treating the incident as a notifiable privacy breach.
“Based upon the evidence we have, and the limited volume and nature of the data that was accessed, our assessment is that this was not an incident which is required to be reported to the authorities,” the company said in a statement. “For the same reasons we have not contacted the customers affected.”
Name and email information is always sought after by hackers but is not hard to find online. However, information about flights – as Solberg points out – could be exploited in spearphishing campaigns.
He also (perhaps a little tongue-in-cheek) points out that the information can be used to track where a specific individual travelled and who else was on the flight, giving a hypothetical example: “Didn’t you say you were going to that job conference in Stockholm? And who is this you were travelling with?”
According to the company, there is no indication that anyone else exploited the vulnerability. A spokeswoman also stressed that UK customers would not have been affected.
A spokesperson for the Information Commissioner’s Office said: “An organisation must assess if a breach should be reported to the ICO. However, this story does raise some potential concerns and we will be making further enquiries.”