A bug finder recently discovered that Thomas Cook Airlines had a security vulnerability for years, making it possible for hackers to systematically download hundreds of thousands of passenger flight details and personal data going back as far as 2013.
The issue, rated a medium to high severity level, leaked personal and travel information but is reportedly now fixed, according to a 9 July blog post by Roy Solberg. After booking his vacation, Solberg reportedly received an email from Thomas Cook Airlines with a suspicious link to airshoppen.com.
“I never downloaded a lot of data as I don’t want anyone to question my motives, but I do like to get an idea of the scope of the data leak, so I did a few tests to see if I could see how many bookings this was affecting,” Solberg wrote. In his tests, Solberg found Ving bookings from as far back as 2013, with the most recent one from 2019.
Using only a booking number, it was possible to retrieve all names on the travel booking along with the email address of the person registering the booking. Also included in the data was departure and arrival dates with airport and flight number information. After nearly two weeks of attempting to disclose the vulnerability, Solberg reportedly received little more than frustrating exchanges before never hearing from Thomas Cook Airlines again.
Three days after he went to the press, the vulnerability was reportedly fixed. This vulnerability, known as an Insecure Direct Object Reference (IDOR) is not only a commonly encountered problem on poorly designed web applications, but it’s also easy for an attacker to exploit. The issue raises concerns for both privacy and phishing attacks.
“We take any breach of our customer data extremely seriously. After being alerted to this unauthorized access to our online duty free shopping website in Norway, we closed the loophole and took responsible actions in line with the law,” a Thomas Cook spokesperson wrote in an email.
“Based upon the evidence we have, and the limited volume and nature of the data that was accessed, our assessment is that this was not an incident which is required to be reported to the authorities. For the same reasons we have not contacted the customers affected.