Roy Solberg, a programmer in Norway, discovered that it was possible to retrieve the following information from Thomas Cook Airlines’ systems using only a booking reference number:
- Full name of all travelers on that booking
- Email address of person registering the booking
- Flight number
- Flight number
Solberg discovered that trips booked through the travel agency Ving, whose parent company is Thomas Cook, are assigned incremental booking reference numbers. In other words, you can reach other customers’ details simply by subtracting or incrementing the reference number in a URL.
This is known as an Insecure Direct Object Reference (IDOR) and is not only a commonly-encountered problems on poorly-designed web applications, but also easy for an attacker to exploit.
In his tests, Solberg says that he was able to use the technique to see details of trips as far back as 2013, through to 2019. The bug finder believes that he could easily have written a computer program to loop through possible booking reference numbers and extract the personal details of most customers and their trips.
Solberg says that data of bookings made with Thomas Cook Airlines through Ving Norway, Ving Sweden, Spies Denmark and Apollo Norway were affected by the vulnerability, but it seems perfectly plausible that other sites may be similarly impacted.
Aside from other privacy concerns (airlines will not normally confirm who is booked on what flight) such information could also be used in targeted phishing attacks claiming to come from a travel operator.
And if there’s more than one person travelling on the same booking, they would be visible too.
Which, as Solberg explains, is potentially another concern for those wishing to keep the details of their trip private:
“Some people might not like that you can see who they travelled with on vacation maybe 5 years ago. (‘Didn’t you say you were going to that job conference in Stockholm? And who is this you were travelling with?’)”
Solberg details on his blog how difficult it was to receive a timely response from Thomas Cook Airlines about the security vulnerability, although he does note that it has now been resolved.
Of course, we have little way of knowing if anyone exploited the security vulnerability in the past five-or-so years.