Premium Luggage Service Exposed Users’ Travel Plans – Even Diplomats’
▼ Summary
– Airportr, a UK-based luggage service, had cybersecurity vulnerabilities exposing users’ personal data, including travel plans and luggage details, to potential hackers.
– Researchers found bugs allowing access to sensitive information and administrator privileges, risking luggage theft or flight cancellations for users, including diplomats.
– CyberX9’s CEO warned the flaws could grant hackers “super-admin” access, compromising all customer data and operations globally.
– Airportr fixed the issues quickly after being alerted but researchers argue the simplicity of the vulnerabilities suggests prior unauthorized access may have occurred.
– The flaws included weak password reset features and brute-force email guessing, exposing names, addresses, passport images, and flight details of 92,000 users.
A high-profile luggage handling service exposed sensitive travel data belonging to thousands of passengers, including government officials and diplomats, due to critical security flaws. Cybersecurity experts uncovered vulnerabilities that could have allowed hackers to access personal details, manipulate bookings, and even intercept luggage, raising serious concerns about data protection in the travel industry.
The service in question, Airportr, partners with major airlines to offer premium baggage handling, including pickup, check-in, and delivery. Researchers at CyberX9 discovered that simple technical oversights in the company’s systems granted unauthorized access to customer records. Shockingly, these flaws could have enabled attackers to take full administrative control, exposing everything from flight itineraries to passport copies. Among the compromised data were travel plans linked to officials from the UK, Switzerland, and the US, highlighting the potential risks to national security.
Himanshu Pathak, CEO of CyberX9, emphasized the severity of the breach. “Exploiting these vulnerabilities would have given hackers unrestricted access to every aspect of Airportr’s operations,” he explained. “They could have altered bookings, rerouted luggage, or stolen sensitive passenger information without detection.” The team found that weak authentication measures allowed them to reset user passwords using only an email address, with no safeguards against brute-force attacks.
Airportr’s CEO, Randel Darby, acknowledged the findings but assured that the issues were resolved swiftly after being notified. “The exposed system was immediately secured, and no evidence suggests malicious actors accessed the data,” Darby stated. The company maintains that only ethical hackers reviewed the information to improve security protocols.
Despite these assurances, experts warn that the sheer simplicity of the vulnerabilities leaves room for doubt. CyberX9’s investigation revealed that hackers could have exploited the flaws to impersonate the company, sending fraudulent messages or tampering with airline accounts. With over 92,000 users and 800,000 bags processed, the scale of potential damage underscores the need for stricter cybersecurity measures in third-party travel services.
For frequent flyers, especially those in sensitive professions, this incident serves as a stark reminder to scrutinize data-sharing practices with travel providers. While convenience is valuable, the risks of entrusting personal information to inadequately secured platforms remain alarmingly high.
(Source: Wired)