Have you flown with Delta Airlines recently? If so, then your boarding pass was wide open to hackers. Oh, and if you missed yesterday's announcement — you might have a single pilot making sure that you're safe in the air.
That's right, you have to take your shoes off at security but Delta Airlines couldn't even bother to keep your passport private. Kind of frustrating, isn't it? If you aren't annoyed yet, you will be once you learn about how this vulnerability works.
Dani Grant, a write for the Hackers of NY cyber security blog, ran a few tests after Delta Airlines emailed her a boarding pass. She discovered that the site wasn't secured by HTTPS protection, but also that URL trickery could get a hacker access to your boarding pass.
What kind of URL trickery? The kind where Grant discovered that changing any part of the identification code in her boarding pass's URL could get her instant access to another person's boarding pass.
Trickery like this isn't just stupid, it's testable by anyone in the world. If any site that you visit has a string of numbers or letters at the end of a URL, try adding or lowering one number by one digit.
If you end up on another page or profile, then that site isn't secure.
All Delta Airlines would have had to do to find out just how easy it is to hack its systems would have been to add or subtract a single digit. Hackers might not even have to be after you in particular to steal your boarding pass information.
They could just randomly type in a string of letters and Delta Airlines' unsecured HTTP connection will let them right in.
Hey Delta! Fix it.