
Airline websites don’t care about privacy follow-up: Emirates in full-on denial - kkm
https://medium.freecodecamp.org/privacy-leaks-round-trip-emirates-com-in-denial-7f99950bcdd
======
mabbo
Here's a completely plausible and terrible idea someone nefarious could do
given this vulnerability:

Setup a laptop or some other small device that is listening to data being sent
over Wifi at an airport. If you're feeling really brave, hide the device
inside the airport, plugged in. Every time it picks up anything being sent
over http to one of these insecure third parties, look for booking reference
numbers and names, then automatically cancel the ticket using those two pieces
of data.

If you did that at a major Emirates hub, you could probably cancel a
significant number of tickets, impacting the company enough to get them to
actually get their act together.

~~~
kkm
I wish the Emirates tech team understands the gravity of this problem. None of
the services they are using to optimize the websites, needs this sensitive
information. It's a side-effect of their implementation.

But just a small correction, the third-parties are not on HTTP, it's the email
link that it HTTP.

------
grzm
Discussion on initial report from 2 days ago, over 170 comments):
[https://news.ycombinator.com/item?id=16516687](https://news.ycombinator.com/item?id=16516687)

Edited for clarification: thanks, 'kkm!

~~~
kkm
Thanks, Yes, That's the first post highlighting the issues. This follow-up
post is after Emirates responded via theregister.co.uk. There were so many
inaccurate things in their comment that I decided to do a complete post.

------
walrus01
If you think this is bad you should see the network-engineering security
practices of some gulf-state (Qatar, Kuwait, UAE, etc) telecoms and ISPs. You
will cringe.

------
palmodi
This is absolute abomination! They really need to get their act together.

~~~
kkm
Hopefully, they do. It's pretty weird how they themselves advice not to share
the booking reference with other people and are leaking the same to the third-
parties.

~~~
palmodi
That was indeed quite ironic. I bet the PR person did not read their own
privacy policy before pointing you towards it. Pretty sure they weren't
expecting you to read volumes of vague jargon and pick their follies. Well
done.

------
rammy1234
Now that this is in open , is emirates site safe to use ?

------
vikramadhiman
wow this is shocking. i am going to watch out in future.

~~~
kkm
As long as you don't look at the network, it is not at all scary.

