Cybersecurity researchers from CyberX9 have discovered severe web vulnerabilities in Airportr, a UK-based luggage service that partners with airlines to provide customers with bag handling solutions. The findings, reported by Wired, revealed that simple bugs in Airportr’s website allowed ethical hackers to access virtually all users’ personal information, including travel plans, passport images, and signatures. Among the data reviewed by the researchers, government officials and diplomats from the UK, Switzerland, and the US were found to have their information compromised.
Airportr’s CEO, Randel Darby, confirmed the CyberX9 findings in a statement provided to Wired, stating that the vulnerable part of the site’s backend was quickly disabled after the company was notified in April. However, researchers argue that the simplicity of the vulnerabilities suggests that other hackers might have accessed the data before the fixes were implemented, potentially exposing users to greater risk. The researchers demonstrated that a basic web vulnerability allowed them to change any user’s password with just the user’s email address, and they could brute-force guess email addresses due to the absence of rate limiting on the site.
This access provided the researchers with a comprehensive view of customers’ data including names, phone numbers, home addresses, flight details, boarding passes, and ticket information. Furthermore, the researchers highlighted that a hacker with administrator access could redirect or steal luggage in transit, cancel flights on airline websites, and even send phishing emails as Airportr. The researchers emphasized that the vulnerabilities granted complete control over all airline customers’ bookings and baggage, making the service a prime target for espionage and data theft.