British Airways exposes personal and flight information of passengers due to flaw in e-ticketing system

Security researchers from Wandera discovered a security flaw in the e-ticketing system of British Airways. This flaw could potentially lead to exposure of passenger data, including their flight details and personal information. The researchers found that the flight check-in links sent to passengers by British Airways via email were unencrypted. This opens the door for an attack that could expose the passengers’ booking reference numbers, phone numbers, email addresses, and more. “In an effort to streamline the user experience, passenger details are included in the URL parameters that direct the passenger from the email to the British Airways website where they are logged in automatically so they can view their itinerary and check-in for their flight,” wrote the Wandera researchers in a blog post. “The passenger details included in the URL parameters are the booking reference and surname, both of which are exposed because the link is unencrypted,” added the researchers. Due to the lack of encryption, someone on the same network can easily snoop such requests to view information about the passengers or even alter their booking information. The exposed information includes passengers’ names, email addresses, phone numbers, membership numbers, booking reference numbers, itineraries, flight numbers, flight times, and seat numbers. The researchers discovered this flaw in July 2019 and soon informed the airline about it. At the time of sharing their analysis, the researchers stated that the flaw had not yet been fixed. As per the researchers’ estimate, 2.5 million connections were made to the affected British Airways domains in the last six months. However, according to British Airways, no passport or payment information could be accessed by exploiting this flaw. The airline also stated that there is no evidence of any customer information being accessed illegally. ​

 

Newly discovered KNOB flaw found infecting Bluetooth-enabled devices

Security researchers have come across a new vulnerability dubbed ‘KNOB’ that affects Bluetooth-enabled devices. The flaw can allow attackers to easily brute force the encryption key which is used for pairing to devices via Bluetooth. In a coordinated disclosure between the Center for IT-Security, Privacy, and Accountability (CISPA), ICASI, it has been found that the flaw affects Bluetooth BR/EDR devices that use version 1.0-5.1. The flaw has been tracked as CVE-2019-9506 and allows an attacker to reduce the length of the encryption key used for establishing a connection. “The researchers identified that it is possible for an attacking device to interfere with the procedure used to set up encryption on a BR/EDR connection between two devices in such a way as to reduce the length of the encryption key used,” said the disclosure. Researchers further noted that, “For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were establishing a BR/EDR connection.” Once the attackers manage to get the encryption key, they can monitor or manipulate traffic transferred between two paired devices. This includes potentially injecting commands, monitoring keystrokes and other types of behavior. “In such cases where an attacking device was successful in setting the encryption key to a shorter length, the attacking device could then initiate a brute force attack and have a higher probability of successfully cracking the key and then be able to monitor or manipulate traffic,” added the researchers. Exploiting this vulnerability is not an easy task as there are some limitations such as the following.

 

Misconfigured MongoDB database leaks 700,000 Choice Hotels customer records

Largest lodging franchisors Choice Hotels has recently disclosed that it has suffered a data breach. The data breach occurred due to a misconfigured MongoDB database. According to Comparitech and security researcher Bob Diachenko, cybercriminals have taken advantage of the unprotected database and stolen 700,000 customers' records belonging to Choice Hotels. The threat actors have left behind a ransom note, demanding a ransom of about 0.4 Bitcoin in return of the records. The data breach came to light on June 30, 2019, after Diachenko noticed a database indexed by the BinaryEdge search engine. Upon discovery, Diachenko mailed the Choice Hotels about the issue. Later, the server was secured on July 2. The data compromised in the incident includes customers’ names, email addresses, physical addresses, and phone numbers. However, no financial and detail personal information was exposed in the breach. Choice Hotels in its reply said that the fields containing passwords, reservation details and payment information only contained fake test data. “The database held 5.6 million records. However, Choice Hotels told Comparitech in an email that the majority of records were “test data, not associated with real people,” said the report from Comparitech.

 

Millions of web servers exposed to DoS attacks due to new HTTP/2 flaws

The widely used HTTP/2 protocol for web servers contains a set of eight vulnerabilities that could lead to DoS attacks. Unpatched web servers running multiple implementations of the HTTP/2 protocol could be compromised in this way. Around 40% of websites on the Internet which support HTTP/2 communication could be vulnerable to DoS attacks. DoS attacks can cause servers to become unresponsive and deny visitors access to web pages, thereby crippling crucial web services. Some of these flaws can also be exploite remotely by attackers whereas a few of these could impact multiple servers from a single end-system. And the rest of the flaws could be used for DDoS attacks. Netflix stated in an advisory that all the attack vectors are similar variants of the same exploit wherein a client requests a response from an unpatched server and then refuses to read it. An alert from the CERT Coordination Center highlighted many large companies which may be affected by these DoS vulnerabilities. The list includes the likes of Amazon, Apache, Apple, Facebook, Microsoft, nginx, Node.js, and Ubuntu. Many of the affected companies have already patched their systems. Cloudflare fixed seven of the vulnerabilities impacting its Nginx servers used for HTTP/2 communication.

 

Zero-day privilege escalation vulnerability in gaming platform Steam could impact over 100 Million users

A security researcher named Felix detected a zero-day privilege escalation vulnerability in the Steam game client for Windows. This vulnerability could allow an attacker to run a program with administrator privileges. Successful exploitation of this vulnerability could allow an attacker to run any program with highest privileges on any Windows system with Steam installed. Felix learned that the registry key for Steam service has explicit “Full control” for “Users” group, and these permissions are applicable for all subkeys and their subkeys. To confirm this, the security researcher created a test key and restarted the service. This gave the researcher full (read and write) access to the key.  The security researcher reported the vulnerability to the parent company Valve Corporation via HackerOne on June 15, 2019. Valve marked the vulnerability as “Not Applicable” citing “Attacks that require the ability to drop files in arbitrary locations on the user's filesystem” and “Attacks that require physical access to the user’s device.” However, after 45 days of the initial disclosure, the security researcher has made the vulnerability public as there are 125 million active accounts on Steam and this could impact all the potential users. Another security researcher named Matt Nelson created a proof-of-concept (PoC) code for the vulnerability and shared it on GitHub.

 

Over 40 drivers from AMD, NVIDIA, Intel and others affected by flaws in Windows kernel

Researchers have uncovered several security issues in Windows kernel that affect over 40 drivers from 20 different vendors. The vulnerabilities can allow attackers to access a device’s hardware and firmware. A team of two researchers at the DEF CON 27 security conference have shed light on the problems of insecure drivers. All these drivers have been signed by valid Certificate Authorities and certified by Microsoft. According to Mickey Shkatov, Principal Researcher at Eclypsium, the issue applies to all versions of Microsoft Windows. Shkatov along with Jese Michael explained that they had first identified the issues in April. They then gave the 20 companies a 90-day window to mitigate the issues. According to the researchers, the vulnerabilities can allow an “application running with user privileges to escalate to kernel privileges and abuse the functionality of the driver”. Some of the issues can be exploited to perform highly privileged access to the hardware resources, such as read and write access to processor and chipset I/O space, Model Specific Registers (MSR), Control Registers (CR), Debug Registers (DR), physical memory and kernel virtual memory. Furthermore, attackers can also deploy the malware if the vulnerable driver is running on the system. This can allow attackers to obtain full control over the system and the underlying firmware. “In other words, any malware running in the user space could scan for a vulnerable driver on the victim machine and then use it to gain full control over the system and potentially the underlying firmware,” said researchers in a blog post. “These issues apply to all modern versions of Microsoft Windows and there is currently no universal mechanism to keep a Windows machine from loading one of these known bad drivers,” added researchers. Some vendors like Intel and Huawei have issued updates to address the vulnerabilities. Other independent BIOS vendors like Phoenix and Insyde will soon be releasing updates. Meanwhile, Microsoft has recommended its customers to use Windows Defender Application Control to block known vulnerable software drivers. It has also suggested customers use Windows 10 and the Edge browser for better protection.

 

Edited and compiled by cyber security specialist James Aguilan.