A UK-based luggage service, Airportr, which partners with airlines to manage luggage pick-up, check-in and delivery for travellers, was found to have significant security vulnerabilities. Researchers at CyberX9 discovered bugs in the company's website that allowed access to users' personal information and even administrator privileges.
The security flaws potentially exposed the travel plans and personal data of a large number of users, including government officials and diplomats from the UK, Switzerland, and the US. The researchers were able to access names, phone numbers, home addresses, detailed travel plans, airline tickets, boarding passes, flight details, passport images, and signatures. Furthermore, the vulnerabilities could have allowed malicious actors to redirect or steal luggage, cancel flights, and send phishing emails.
CyberX9 found they could exploit a basic web vulnerability to change user passwords with just an email address and brute-force guess email addresses without any rate limitations. They also intercepted an API key during the signup process, allowing them to change other users' passwords. Access to an administrator account would have provided complete control over all operations and data, enabling malicious actions such as luggage redirection, theft, and flight cancellations. While Airportr claims to have addressed the issues after being notified by CyberX9, the researchers caution that the simplicity of the vulnerabilities raises concerns that other hackers may have already accessed the data.
Artículos relacionados de LaRebelión:
Artículo generado mediante LaRebelionBOT
No hay comentarios:
Publicar un comentario