It seems that if you use a certain url on the Aer Lingus site you can access the account details of whoever logged into some sections last. I logged into the Gold Circle section and when someone logged in after me the got the below details. I’m not the only one. Anyone that clicks on the url (which seems to be just a general url with session details) will see details of anyone who logged in last. I rang customer care who are not equipped to deal with this in fairness and they asked me to email in the url. Twenty mins later and I still can’t find an email address on their site that I can email. They seem to think fax is enough for Irish people. Oh and their Aer Lingus queries site is down so I can’t send in my “query” via there.
Not that I have much of a clue about security but it appears to be a simple session hikack, although not intentional. The url sent to me and others by someone linking to the Gold Circle page contained session details and for some reason when registering after that for Gold Circle and logging out, the next person in could see the details of the previous person. If they hadn’t logged out yet you got the screen cap from above but if they logged out you saw “just” their email address. A very obvious data breach.
The worrying thing is that this technique might be used to get even more details from accounts including credit card details. So on Easter Sunday I am told I should email this into customer care, if I can find their email details. I’m still looking.
Update: Email to customer care:
My personal data was accessed by other people.
My mobile number is +353
I already called about this at 3pm today. I was told to fill this form in. There has been a data security breach on your site which has ended up with my personal data being exposed via the Gold Circle section of Aer Lingus website. It has happened to others too and I believe they have made contact.
The clock started ticking for me at 3pm and I would like to be contacted and assured that this data breach is being taken seriously and that a report will be issued as to what happened. I would also like to be updated on the progression of the investigation of this issue.
I have also put this issue on my website: http://url.ie/aln and will be updating it as time goes by.
Thank you.
Damien Mulley
Update 2 @19:11 – Well Aer Lingus took down the site for a while but the issue is still there. James Galvin shared a url and when I clicked on it, I got his fake account details:
Including his credit card details, though he didn’t put them in:
The very worrying thing is that it was sheer accident that some of us happened upon this. Is this a temporary bug or has it been around all the time? Can session IDs be predicted?
I used an itinerary that I had saved with AerLingus when you noticed this issue but couldn’t get the system to resurrect my credit card details that AerLingus had previously stored on its site. I am not a Gold Circle member.
From your report, it appears a session-id was not set and then scrubbed from a browser using the Gold Circle service.
And it seems we can see your data too Bernie.
I’m currently on the aerlingus website – have Bernie’s Name, Address, phone number. city of birth – all screengrabbed and saved to my hard drive. I can see the last four digits of a credit card number. Thought you lived in Cashel though Bernie or have you multiple houses??
Hi guys,
Heres whats appears to be happening….very serious on Aer Lingus’s part.
The session that is used when you login to your account is being stored as an instance on their server (probably for 45 minutes or so, depending on their settings). To access this session, all you need is the Session ID (this is the BV_SEssionID part of the URL) and the Engine ID (BV_EngineID). For example, I could change between my details and Bernies by just swapping out the Session ID and Engine ID in the URL. I could also change the details in the Session by logging in to my Gold Circle account using this session, meaning the next person to click on the link to this session would see my details.
If we all leave this link and session alone, the session should expire, as each time someone access the session its timeout resets.
Very, very strange way of doing things to be honest with you. Chance of anyone actually getting a hold of both the session id and engine id before the session expires are minimal (unless we post a link to it).
Still, very serious on Aer Lingus’s part, hope they resolve it soon.
Bernie, I can see your details too. Curious that you say your not a Gold Circle member, as I can see your Gold Club membership number and that you are an applicant.
@Chris It’s very serious, but saying that people should leave the session alone is unreasonable. We’re just a tiny subset of people on AL.com. The session will prob we reset again and again. AL need to fix this pronto.
Excellent, I’ve just set up an account and by copying the session url alone I can access my account no matter who I am or where I’m surfing from. Thats a handy feature alright. Hopefully more sites will introduce it soon.
Aer Lingus website is down!
are the session ID strings guessable? e.g. incrementing by 1 every time?
I find it annoying when BOI bumps me out of its site after what seems like about three minutes of inactivity but I can see its value now.
This smacks of investigative journalism Damien.
Careful now, down with this sort of thing.
So….ever thought of writing a book? 🙂
John
I will pass this to the relevant person in Aer Lingus.
[…] Mulley reports that if you use a certain url on the Aer Lingus site you can access the account details of whoever logged into some sections […]
I was emailed by a few people over the course of an hour, some i knew, some i didnt. They each had my personal details and let me know they were viewable on the site. I phoned Aer Lingus who asked me to fill out a form on the site. I did and requested they keep me updated and let me know if my data was secure. I am still waiting.
Hi, was this ever resolved to your satisfaction Damien? Paul
well this scares the life out of me what ever next if i have booked a flight and given my address and the dates etc, any one want to burgle my home
I think Aer lingus are all robots, I have booked flights to go to uk next week and I cant get back on to their web site, apparently my session has timed out, that was yesterday, I rung them and spoke to what sounded like a robot who kept repeating the same bull over and over. The tickets I booked were 99euros, tried to book one more ticket for someone and they are now 250euros! I wont be flying with this rip off airline again, give me ryan air anyday, I know this is a different subject to all of yours, but had to leave off steam to some human beings! Thanks