This post is going to outline how I simply applied my methodology and managed to find multiple vulnerabilities leaking airline passenger information on a YesWeHack bug bounty program. My experience on YesWeHack has been extremely good as the companies engage & communicate with you on reports to understand the issue in a very timely manner. I feel like the companies I dealt with on YesWeHack treat me with full respect and honestly I recommend you checkout their platform, I just wish there was more programs! đ
For these findings I spent approx ~15hours max over 3 days to find these bugs. I used zero recon tools and only targeted their main web application. I was shocked at how easy I found these bugs and to this day I still think about other airlines which DO NOT welcome hackers and if they are vulnerable in similar areas. If you work for an airline, please reach out and maybe I can help you! @zseano (or perhaps contact YesWeHack & invite me? :D)
Iâd also like to use this opportunity to remind people that you should never post your plane tickets publicly, no information at all. Seriously, keep it to yourself.
For those not familiar with what an IDOR (Insecure Direct Object Reference) is, imagine you have an url: https://api.example.com/user/1 which reflects private information such as email. You are id â1â and changing this to â2â should present you with an error that you donât have the right access to view this usersâ information. If however it does then you have a valid IDOR bug for enumerating user information. (Of course in some cases it is intended functionality, you should be looking for sensitive information leaked) IDOR is about changing certain values to another and being able to view / modify other usersâ data. In my opinion IDOR is just as common as XSS.
Tip: Donât get distracted by âencryptedâ values or guids as sometimes integer values are accepted anyway!;)
Second tip: Inject âidâ:1 when you see JSON post requests even if itâs not there. It may still be handled and youâll find a âblindâ IDOR đ
Hi Sean, you have been invited to hack on zseanosflights.com
Nice. The website offers lots to play with but more importantly, the website holds sensitive information. Itâs an Airline, passport information etc. When thereâs sensitive information at risk I will always go in with the mindset of theyâre secure. Theyâre holding info about passengers and they will want to keep this secure, so letâs check: just how secure is their production site which thousands of users are using daily?
My methodology is focused around using the website as intended, so the very first thing I did after signing up was to simply purchase a flight. I bought a ticket for ÂŁ20 which flies next year and armed with a valid booking reference. it was time to hunt for IDORs across the entire site. I also googled for this particular Airline and found a promotion from 2018 which contained another booking reference. At this point I didnât know if it worked but I saved it for future reference. Whenever you test for IDOR always test against your own accounts or ids owned by the company (so you are not affecting real users!)
This is where things got a bit too easy. Now if you have tried to view your plane booking online before you will know that it requires your booking reference AND last name. Well in this case when checking in a request was made to fetch my passenger information with only my booking reference as the parameter. Simply changing this to another usersâ booking reference would display their information to me. âWowâ I thought.. that easy huh? Yes really, that easy. No tools needed, no crazy skills.
At this stage I went and found as many features as possible which required a booking reference and found multiple areas leaking full passenger information. The scope is pretty locked down on this program so I was still just targeting their main web application. I am still waiting for the scope to be increased so I can continue my hunting.
Iâm afraid this is the end of the hacking. I literally just used the site as intended, captured the request, changed the âbookingRefâ parameter to another ID and was able to leak sensitive passenger information in multiple areas. The issue affected pretty much all features which handled a booking reference. As you know also booking references for flights are easily guessable, they are only up to 6 characters long and usually only contain 2 numbers. It would not be hard to generate every combination and run a tool to mass-scrape passenger information.
Hacking really isnât that hard, I just use the site as intended đ
I am presenting a talk at Securi-Tay2020 titled, âSaving user data one company at a time â Hacking with zseanoâ so if you are there feel free to come and say hi and I hope you enjoy my talk! https://securi-tay.co.uk/