Flight booking platform Option Way exposes customer and internal data

Researchers from vpnMentor security firm have recently discovered a huge data breach in flight booking platform Option Way. 

Researchers at vpnMentor discovered a huge data breach in flight booking platform Option Way as part of a web-mapping project. 

Option Way service allows its users to find flight deals to and from destinations around the world. 

The research team lead by Noam Rotem and Ran Locar scans familiar IP blocks to find security flaws that would lead the organizations to a data breach.

The experts discovered that a huge portion of the database used by the Option Way platform is completely unprotected and unencrypted. 

“The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via a browser and manipulate the URL search criteria into exposing huge amounts of data.” reads the analysis published by the experts.

“Option Way customers and the airlines on their platform must be aware of the risks they take when using technology that makes so little effort to protect their users.”

The experts discovered over 100GB of data, including unencrypted personal details of customers (Customer names, Date of Birth, Gender, Email addresses, Phone, numbers, Home Address & postcode) and information about users’ flights and travel arrangements. 

The experts claimed that the following statement published on the website of the platform is not true, because customers’ Personally Identifiable Information (PII) was not encrypted.

“The  www.Option Way.com website is protected by an SSL certificate. When you enter your personal data, it is encrypted and stored to let you make transactions. Your personal data is processed in line with the recommendations set out by the CNIL (France’s data protection authority).”

Experts also discovered that the email addresses of Option Way were accessible as a result of ‘incorrect password’ reset links.

vpnMentor warns that combining leaked data it is possible to create a complete user profile of Option Way customers, exposing them to multiple criminal activities and cyber frauds.

Data left unsecured online also expose Option Way to hack because they include employee and company information

“We were able to view the PIIs of staff members that were using the platform to book flights.” continues the analysis.

“During our investigation, we also found the company’s credit card details unmasked and viewable to anybody with access to the database. This was used to book flights for staff members and customers, creating a huge risk for Option Way.”

“By not protecting the company credit card, Option Way is making itself vulnerable to devastating financial fraud.”

Below the timeline of the discovery shared by the experts:

Date discovered: 20/08/19Date vendors contacted: 25/08/19Date of Response: 29/08/19

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – data breach, Option Way)

The post Flight booking platform Option Way exposes customer and internal data appeared first on Security Affairs.