Dani Grant, the founder of the security research group Hackers of NY, has reported a serious flaw
in the way that Delta and potentially other airlines handle online boarding passes, often displayed on smartphone screens to gain entry to flights. Grand discovered that if she shared the URL to her Delta online boarding pass, anybody could download and potentially redeem it. Even more disturbingly, when she changed with the last digit of the seemingly random numbers in the URL, she could view someone else's
online boarding pass, which might even be on an entirely different airline.
While it would be difficult to get into an airport without a boarding pass in one's own name, or proper ID matching the name on the boarding pass, the viewer can check the passenger into the flight, or even change their seat assignment, among other potential risks. Presumably, it would also be difficult to use this trick to find a specific passenger's boarding pass, or one for a specific flight, without intimate knowledge of how the number sequences on the URL are generated.
The TSA commented on the story, saying "travel document checking is just one layer of TSA's defense for aviation security," said TSA Press Secretary Ross Feinstein. "Officers are trained to detect and potentially deter individuals who may attempt to board an aircraft with fraudulent documents."
In an email to Grant, a Delta representative apologized for the breach of security, and provided her with a customer service number if she continued to have issues stemming from it. In a statement to Time Magazine
, Delta spokesperson Paul Skrbec said that Delta IT was able to implement a fix without causing any impact to flight safety. According to Skrbec, Delta isn't aware of any compromised accounts as a result of the flaw.