The first time it happened it appeared by seeing "Treat yourself, Samantha" in the website ad for upgrading yourself to Premium class. My name is not Samantha.
I clicked, and saw Samantha Lastname was traveling from Miami to Seattle. There was her phone number, record locator, ticket and mileage numbers, emails and other info. It also would have let me change or cancel her flights.
When I refreshed I got a new person. Trevor. He's going from JFK to SEA, and back to EWR.
I figured this wasn't one-off (yet still serious) bug, and called Alaska Support. They didn't believe me, but once I had rattled off the customer information I had in front of me and told them I'm none of these people, they transferred me to somewhere I thought was a higher up.
The higher-up person verified some information, asked no questions on how to replicate the bug, and asked me to log out and log back in. Once I did, the issue did not show up again. They said they'll send me 3,000 points for reporting. That sounded pretty low to me as it seemed like a serious data leak, but whatever.
I contemplated whether to post about this as I thought it would be interesting for the HN audience to see, but decided against it thinking I'll give Alaska time to fix it.
It's been 4 months now, and today this happened again. I saw an upgrade ad for Sally. Sally and Chris are traveling in the same reservation from Redmond, OR to Seattle in Main Preferred class. Knowing what I was looking at, I figured Alaska had done absolutely nothing to fix the issue.
I have a theory what's causing it as there's something specific that happened before both of these issues, but I'll refrain from posting it here so it's not as easy to exploit. Who knows what else the payload might include.
I took screenshots throughout the process, including some console logs, to document what I saw. I am sharing this here in the hope that the added visibility will finally push Alaska Airlines to address the issue.
I would advise submitting this is the state of Washington and DOT federal and state.
Technically this is a data breach. Atg.wa.gov I would submit a data breach notification this will force them to actively fix it this month otherwise they will sit on it and push it off per agile sprint and do it when it’s convenient for the airline. Post holiday rush.
And you have agreed not to access any information not yours. So if in n months you will be greeted "Treat yourself MikkoX" you are not allowed to click anymore.
Not necessarily trying to say you did the wrong thing. But I do hate corporate lawyers.
Actually call if possible.
What you’ve done here is a criminal act according to the CFAA, and your exploration of their site could also be construed as wire fraud. As you’ve done this across state lines this is also a federal felony. You’re also in violation of the GLBA, as you’re disclosing the availability of airline customer information. You could also fall foul of the FTC and the wiretap act.
I have seen people (Weev, Michael Brown, numerous others) go to prison for similar, and this lot could win you years in a federal penitentiary.
Please, consider the legal consequences this could bring upon you.
I would simply forget about it and promptly delete this - it’s their problem, not yours, and by posting about it here, they could decide to make it your problem.
The bottom line is we need a mechanism to ensure security bugs are fixed. Publicly disclosing security bugs when an organization does not fix the bug is a good way to do this.
Note this practice started in the 1980s or early 1990s because software venders refused to fix security bugs. The full disclosure movement was created because security researchers wanted the bugs fix and publicly disclosing them was the only way to get some organizations to fix their security bugs.
Not posting personal information is irrelevant - that he has accessed it and admits doing so, is.
Prior disclosure is irrelevant. There’s case law that makes this clear.
Not including repro steps is irrelevant as merely disclosing the presence of a vulnerability is enough to fall foul of the CFAA, as the reasonableness test is whether a competent person could with the knowledge given reproduce the vulnerability, to which the answer is almost always yes. They also admit using the vulnerability, which is definitely a violation of the CFAA.
I agree wholeheartedly with your sentiment that this is nuts, but this is the way the law has been written and applied, and he is taking a serious risk with this disclosure.
Most companies don't give them the training, autonomy, problem solving tools, or even buy-in to deal with something like this.
When I call in I expect them to be able to change my reservation and handle seat changes and such. I don't expect them to be able to triage a tech support call and tell the difference in severity between, say, a shared computer with somebody else's login, a browser caching issue, a database hack, a proxy or CDN issue, etc.
For that to actually happen support staff has to be empowered to think for themselves and also be compensated enough to care.
Not blaming you, we all do this. Just stating a fact.
Thats why you are required to have two to verify, ticket number or last name but in old old systems you always used the ticket number as that had all the passenger information, coupon status, route, etc the PNR is just a shortcut to facilitate this.
Nowadays of course the booking reference is virtual.
Another thing to note is (unless something's changed in the 15 years since I left the airline industry) that non-trivial booking changes (i.e. not just passenger information changes) generally result in a new PNR being generated to replace the old one, effectively using up the old code.
If this is some content that isn't always shown, it could be semi-rare for the upgrade message to show up at all, which is how this kind of thing sneaks past basic QA. Also sometimes QA is operating with low traffic, such that you might still just see your own information simply because you're the only one using the site right now.
I commend your ethics, but I'm going to be straight with you: Alaska isn't going to do anything until tangible harm and damage occurs. The cost to address the problem is higher than the cost to just ignore it. Alaska probably won't think this even is a problem yet, for that matter.
If you still want to be an unwarranted gentleman, I would report this again but put a firm deadline to disclosure and say "No" is not an answer. Also have a lawyer handy if you choose to make this a problem for them.
(I'm not affiliated with them, just an occasional customer who's wondering if they have a bad reputation in this regard or something.)
No, though I'm a frequent flyer and have a fairly lukewarm view of them compared to other airlines.
>why do you believe this to be the case?
Generally speaking, people will take the path of least resistance and even moreso if they're professionals who probably aren't paid enough to care enough. Beancounters also won't care beyond the numbers in their spreadsheets.