While trying to book a last-minute ticket on United Airlines' website, a security researcher accidentally stumbled across the name of every passenger on his flight, private information he was not meant to see.
On his Tinfoil Security blog, Ben Sedat said the entire passenger manifest was revealed to him when he clicked the dropdown menu while entering his traveler information on United.com.
"Kind of scary, and nothing I had any business looking at," Sedat wrote, adding that he came across the passengers' names just as any other potential ticket-buyer would, without any security testing on his own.
As Ars Technica reported, United "recently overhauled its system to include new flights and customers" after acquiring Continental Airlines. Sedat said he disclosed the privacy risk to United; a representative was not able to reproduce the error Sedat found.
United Airlines did not return a request for comment from SecurityNewsDaily.
Sedat said the privacy infringement problem was most likely due to an invalid website session," because logging out and logging back in "seemed to solve the problem." But the bigger security risk presented by what Sedat discovered is that, rather than automatically logging Sedat out once it recognized his session was invalid, United permitted him to remain online, and then mistakenly revealed his fellow passengers' identities.
"If my session was broken, I should have been issued a new one or in the worst case (from a UX [user experience] perspective) lost my progress and had to log in again," he said. "Instead, it defaulted to showing me things that didn't belong to me . . . it illustrates a situation where an invalid session leads to a lot of private information getting leaked."