Some of the private data of KLM and Air France passengers proved easy to obtain. Hyperlinks to flight information weren’t long or varied enough, making it possible to collect data from other customers on a large scale.
The revelation was made by the Dutch public news organisation NOS, which, together with security researcher Benjamin Broersma, had tested whether private data could be obtained by adjusting a hyperlink sent by KLM by text message.
Anyone who wanted to receive KLM’s flight information by text message received a six-character link. A malicious actor could have automatically tested all kinds of combinations of these characters, with which a valid link could be found every 100 to 200 times. According to NOS, it even seemed possible to edit and delete passport and visa information, but this was not tested.
KLM blocked the IP addresses used to investigate the exploit after more than five hours. The airline has since added a login screen so no one can access anyone else’s flight information.
Susceptible to automatic scripts
Broersma stated in conversation with NOS that the six-digit code in the hyperlinks is too short and there are too many working codes. 56.8 billion combinations exist with six digits, of which one in 100 to 200 turned out to be valid during the investigation. The NOS’ “most conservative estimate” is that 0.5 percent of all combinations were valid, which would have made at least 284 million combinations direct to a customer’s data.
KLM doesn’t seem too keen to clarify the extent of the data breach. For example, it didn’t disclose whether passport and visa information was modifiable through valid hyperlinks. In addition, only a “small percentage” of the customer base receives such a text message according to the airline. Again, it doesn’t say what percentage that is.
The NOS states that it had made no effort to remain unnoticed with its research. By automatically switching IP addresses every few seconds, KLM’s blockade after more than five hours would not have stopped a threat actor anywhere near as easily.
Not the first time
It’s not the first time this year that Air France-KLM has faced a data breach. The airline’s frequent flyer program members were told by email that their data had been accessed by an “unauthorized party” back in January.
Also read: Air France-KLM loses customer info in data breach
1 day ago
