This one is bad. Qantas as in the Australian airline has one hell of a privacy breach on its hands. The Guardian has the rather bad (if you’re Qantas) details:
Potentially thousands of Qantas customers have had their personal details made public via the airline’s app, with some frequent flyers able to view strangers’ account details and possibly make changes to other users’ bookings.
Qantas said late Wednesday its app had been fixed and was stable, after two separate periods that day “where some customers were shown the flight and booking details of other frequent flyers”.
The airline said this didn’t include displaying financial information, and that users were not able to transfer Qantas points from another account or board flights with their in-app boarding passes.
Clare Gemmell from Sydney said that she and four colleagues encountered the problem shortly after 8.30 on Wednesday morning.
“My colleague logged in and said ‘I think the Qantas app has been hacked because it’s not my account when I log in’.”
When Gemmell logged into the app, she was greeted with a message saying “Hi Ben”. The app told her Ben had more than 250,000 points and an upcoming international flight.
“Another colleague of mine said it looked like she was able to cancel somebody’s flight ticket,” she said.
“You could see boarding passes for other people, one of my colleagues could see a flight going to Melbourne and it looked like you could interact and actually affect the booking.”
Well, that’s one hell of a screw up that Qantas has apparently now fixed. But it’s still bad. Ted Miracco, CEO, Approov had this comment:
This incident with the Qantas mobile app is quite concerning from both a cybersecurity and privacy perspective. Many companies fail to implement adequate API security, which can lead to issues like the one potentially faced by Qantas. The security of APIs is critical as they often handle the logic, user authentication, session management, and data processing that apps rely on to function.
The problem described suggests a significant issue with how user sessions and data are being handled within the app. The Application Programming Interface (API) is incorrectly processing or validating session tokens, leading to unauthorized access to data. The exposure of such personal information, including booking details, frequent flyer numbers, and boarding passes, poses serious risks and liability. The data could be used for identity theft, phishing scams, or unauthorized access to further personal information. Such a breach should have significant legal and compliance implications, particularly under data protection regulations like the Australian Privacy Act (APA) or GDPR, if any EU citizens are affected, or other local privacy laws, depending on the nationality of the affected passengers.
The reliance solely on Google and Apple’s app store security measures for safeguarding mobile applications is indeed a common oversight that can lead to significant security challenges, as potentially evidenced by the Qantas incident. The security features provided by these platforms primarily focus on ensuring that apps are free from known malware at the time of upload and meet certain basic security criteria. However, these protections do not extend into the realms of runtime security, business logic, and specific data handling practices which are critical for ensuring application security.
Stephen Gates, Security SME, Horizon3.ai adds this:
Most people who utilize mobile apps don’t realize that these apps use APIs to communicate between the app and the app provider’s backend. And APIs are often full of potential vulnerabilities and subsequent risks due to how they are implemented.
This is the primary reason why the OWASP API Security Project was created resulting in the most recent version: 2023 OWASP API Security Top 10. Being a contributor of the Top 10 2019 version, and spending time with founding leaders of the Security Project, the API risks organizations and consumers face today are quite clear.
Today’s software (app) developers must not only become familiar with the API Top 10, but also become experts in understanding the intricacies associated with APIs. The API Top 10 provides highly detailed example attack scenarios as well as excellent recommendations on how to prevent such risks from occurring.
Qantas has some explaining to do to a whole lot of people because of this screw up. I hope they have detailed answers at the ready because this is one of these situations where people are going to want those answers. And they won’t be satisfied with anything less.
Qantas Has An EPIC Privacy Breach On Their Hands
Posted in Commentary with tags Privacy, Qantas on May 1, 2024 by itnerdThis one is bad. Qantas as in the Australian airline has one hell of a privacy breach on its hands. The Guardian has the rather bad (if you’re Qantas) details:
Potentially thousands of Qantas customers have had their personal details made public via the airline’s app, with some frequent flyers able to view strangers’ account details and possibly make changes to other users’ bookings.
Qantas said late Wednesday its app had been fixed and was stable, after two separate periods that day “where some customers were shown the flight and booking details of other frequent flyers”.
The airline said this didn’t include displaying financial information, and that users were not able to transfer Qantas points from another account or board flights with their in-app boarding passes.
Clare Gemmell from Sydney said that she and four colleagues encountered the problem shortly after 8.30 on Wednesday morning.
“My colleague logged in and said ‘I think the Qantas app has been hacked because it’s not my account when I log in’.”
When Gemmell logged into the app, she was greeted with a message saying “Hi Ben”. The app told her Ben had more than 250,000 points and an upcoming international flight.
“Another colleague of mine said it looked like she was able to cancel somebody’s flight ticket,” she said.
“You could see boarding passes for other people, one of my colleagues could see a flight going to Melbourne and it looked like you could interact and actually affect the booking.”
Well, that’s one hell of a screw up that Qantas has apparently now fixed. But it’s still bad. Ted Miracco, CEO, Approov had this comment:
This incident with the Qantas mobile app is quite concerning from both a cybersecurity and privacy perspective. Many companies fail to implement adequate API security, which can lead to issues like the one potentially faced by Qantas. The security of APIs is critical as they often handle the logic, user authentication, session management, and data processing that apps rely on to function.
The problem described suggests a significant issue with how user sessions and data are being handled within the app. The Application Programming Interface (API) is incorrectly processing or validating session tokens, leading to unauthorized access to data. The exposure of such personal information, including booking details, frequent flyer numbers, and boarding passes, poses serious risks and liability. The data could be used for identity theft, phishing scams, or unauthorized access to further personal information. Such a breach should have significant legal and compliance implications, particularly under data protection regulations like the Australian Privacy Act (APA) or GDPR, if any EU citizens are affected, or other local privacy laws, depending on the nationality of the affected passengers.
The reliance solely on Google and Apple’s app store security measures for safeguarding mobile applications is indeed a common oversight that can lead to significant security challenges, as potentially evidenced by the Qantas incident. The security features provided by these platforms primarily focus on ensuring that apps are free from known malware at the time of upload and meet certain basic security criteria. However, these protections do not extend into the realms of runtime security, business logic, and specific data handling practices which are critical for ensuring application security.
Stephen Gates, Security SME, Horizon3.ai adds this:
Most people who utilize mobile apps don’t realize that these apps use APIs to communicate between the app and the app provider’s backend. And APIs are often full of potential vulnerabilities and subsequent risks due to how they are implemented.
This is the primary reason why the OWASP API Security Project was created resulting in the most recent version: 2023 OWASP API Security Top 10. Being a contributor of the Top 10 2019 version, and spending time with founding leaders of the Security Project, the API risks organizations and consumers face today are quite clear.
Today’s software (app) developers must not only become familiar with the API Top 10, but also become experts in understanding the intricacies associated with APIs. The API Top 10 provides highly detailed example attack scenarios as well as excellent recommendations on how to prevent such risks from occurring.
Qantas has some explaining to do to a whole lot of people because of this screw up. I hope they have detailed answers at the ready because this is one of these situations where people are going to want those answers. And they won’t be satisfied with anything less.
Leave a comment »