Hopefully, they do. It's pretty weird how they themselves advice not to share the booking reference with other people and are leaking the same to the third-parties.
That was indeed quite ironic. I bet the PR person did not read their own privacy policy before pointing you towards it. Pretty sure they weren't expecting you to read volumes of vague jargon and pick their follies. Well done.
If you think this is bad you should see the network-engineering security practices of some gulf-state (Qatar, Kuwait, UAE, etc) telecoms and ISPs. You will cringe.
Here's a completely plausible and terrible idea someone nefarious could do given this vulnerability:
Setup a laptop or some other small device that is listening to data being sent over Wifi at an airport. If you're feeling really brave, hide the device inside the airport, plugged in. Every time it picks up anything being sent over http to one of these insecure third parties, look for booking reference numbers and names, then automatically cancel the ticket using those two pieces of data.
If you did that at a major Emirates hub, you could probably cancel a significant number of tickets, impacting the company enough to get them to actually get their act together.
I wish the Emirates tech team understands the gravity of this problem. None of the services they are using to optimize the websites, needs this sensitive information. It's a side-effect of their implementation.
But just a small correction, the third-parties are not on HTTP, it's the email link that it HTTP.
Thanks, Yes, That's the first post highlighting the issues. This follow-up post is after Emirates responded via theregister.co.uk. There were so many inaccurate things in their comment that I decided to do a complete post.
12 comments
[ 3.6 ms ] story [ 43.1 ms ] threadSetup a laptop or some other small device that is listening to data being sent over Wifi at an airport. If you're feeling really brave, hide the device inside the airport, plugged in. Every time it picks up anything being sent over http to one of these insecure third parties, look for booking reference numbers and names, then automatically cancel the ticket using those two pieces of data.
If you did that at a major Emirates hub, you could probably cancel a significant number of tickets, impacting the company enough to get them to actually get their act together.
But just a small correction, the third-parties are not on HTTP, it's the email link that it HTTP.
Edited for clarification: thanks, 'kkm!