Contact Contact Us

Airlines Expose Passenger Data via Unencrypted Check-in Links

Several major airlines are exposing passengers’ personal information by sending check-in links over HTTP instead of HTTPS. These links are typically sent via email or SMS and they are used to initiate the check-in process. An attacker on the same network as the passenger, such as a public Wi-Fi connection, can intercept the link request to automatically login to the user's online check-in page. Depending on the airline, the check-in service can provide information about the user's email, address, name, passport details and flight details. In some cases, the hacker can make changes to the user’s data or print the boarding pass for a scheduled flight. It is recommended that airlines encrypt network communication during the check-in process and implement two-factor authentication to protect user information.

[1] Are Airlines Putting Your Data at Risk?

Ensign InfoSecurity Singapore
30A Kallang Place
Singapore 339213

Tel: +65 6788 2882
Fax: +65 6788 3883