Industry News

Delta Airlines security flaw allows access to strangers’ boarding passes

You would like to think that airlines are taking security seriously.

After all, every time you try to board a plane you’re asked to take off your belt and shoes, prove that your laptops boot up, discard any liquids that weren’t bought in Duty Free, and dispose of your toenail clippers.

Which makes it all the more ironic that it appears some airlines make it so darn easy to grab a complete strangers’ electronic boarding pass.

Dani Grant, the founder of Hackers of NY and an intern at Buzzfeed (which can’t have hurt at all in getting the story the attention it deserved) discovered that it was child’s play to access someone else’s boarding pass – just by changing the URL that Delta Airlines had sent her.


Indeed, she found she could even end up with tickets for a completely different airline


As Dani Grant reported, she had the capability to even check in as the strangers and change their seat.

The mind boggles at the stupidity of the boarding pass website having this fundamental error in its design – known as insecure direct object references.

These type of vulnerabilities works like this.

A website gives you a URL to access your private information (such as your airline ticket).

The URL might take the form of something like this, where 123456 is your account number:

If the website does not properly authenticate if you are allowed to access that particular account (for instance, by asking for a password or requiring an additional token based upon a cryptic hash), then it’s child’s play for someone to simply change the account number in the URL.

For instance, here the account ID has been changed to access other users’ information:

You hardly have to be an elite hacker to change a URL and access someone else’s boarding pass.

Clearly Delta’s customer support team didn’t understand the severity of what was being reported to them, with their response which failed to say that they would be getting the site fixed before it could be abused.


Hopefully whoever was responsible for the website has had a sharp kick up the backside about security, and won’t make this elementary mistake again. Websites containing sensitive information must be properly engineered to protect users’ privacy and treat security as a high priority.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.


Click here to post a comment
  • Didn’t another travel agency (but hotel) web site have this exact same issue ? This year ? And didn’t they go belly up ? (One hopes the jets go up too, although perhaps not belly up. If their website as described went belly up, however…) Indeed it is hard to imagine they don’t take it serious. It isn’t surprising of course. What should be shocking (but again not surprising) is how they responded to it. That is, I’m afraid, in some ways worse than denying the issue outright. At least when a vendor denies a risk (or claims it is not as serious as is claimed (but how would they know when someone else found it, not them?), they have somewhat of a clue (just don’t care which is to say irresponsible and clueless in other things). While that isn’t excusable, here it is even less excusable (certainly not any more excusable but I still think in some ways it is worse): they are not only denying it (indirectly) but they are dismissing it as if they take it seriously and just hope everything will go OK next time (but it wasn’t OK this time so why do they think it would be OK next time without any change ?).

    Funny thing (funny in a twisted sense of the word) is this mirrors exactly what I’ve said for years about security (this goes for all kinds of security and ironically enough it was also about airliners that I was remarking about):

    They claim they take things seriously, that they are boosting their security measures. Why do they keep having to say this, though? Why do they repeatedly tell everyone they are increasing their security measures and are taking it more seriously? Shouldn’t they always be that way (and therefore not needing to claim this – it is always there and should be considered obvious)? Well it is simple (besides the fact they are competing with NASA on being a major broken record, that is… it is a pretty tight race but I still think NASA’s rocket engines beat the jet engines… and not only would the rocket engines beat the record of the jet engines, NASA is quite dilligent with this cycle) Because they DO boost (sort of like their jets are boosted up in to the air then down… hopefully safely!) it for a time (depending on the engine power it will take different amounts of time). They feel safe, they lower their guards (this post is very fun, pun wise!) and what happens? They do the same thing over again (sort of like they go round and round the world… over and over again). Yet if it happened one time (and plane hijacking is decades old, let’s remember that!) why do they think it is less likely to happen later? It happened so therefore you should never think it just goes away (just like you shouldn’t leave all your confidential information in plain sight). Even though this incident is online, my analogy (which was about physical security) applies equally as much. Just like politics will never go away, neither will these risks. That’s just life.

    I don’t think they’ll ever learn but to be fair to them it isn’t just them (I don’t know if that is worse or not though): they aren’t alone, at least (scary as that may be).

  • Apparently fixed now:

  • I found the same situation some years ago when conducting a Due Diligence for American Express.

    ThomsonReuters were hosting some Investor Information for American Express prior to release to Wall Street Analysts, and I found I could change the ‘name’ within the URL to look at pre-release information for Southwest Airlines.

    Took me forever to explain to ThomsonReuters what was ‘remiss’ with their solution.

  • I believe you also have to show a picture ID before boarding, so the insecure direct access to online boarding passes is not the whole story, nor is it a single point of failure.