Secure Flight Passenger Data that wasn’t, or Client side validation for the win!
Earlier this month I went on a work trip to Iowa. Of course I forgot to pack and spent the evening before rushing to prep my backpack. Finally get my bag packed, go to bed, and remember that I need to check in. So, I check in online while half asleep.
So far so good, but then I notice that there’s no TSA Pre✓ symbol on my eBoarding pass. This is not ideal because of lines and body scanner fun. At this point I start clicking around Delta’s website looking for the Pre✓ section.
I found the problem on Delta’s “basic info” page: My passenger name was correct, but whoever fixed it last time didn’t update my name under the “secure flight passenger data” section.
That mismatch with my KTN was enough to not show Pre✓ on my boarding pass.
I clicked edit hoping for a quick fix but the form fields were greyed out. At this point I’m getting a bit anxious. Searching online shows that they want you to call them for any changes. It’s 2 AM at this point and I really do not like calling people.
At this point Sleepy Jade Brain™ kicks in and has just enough hope and desperation to fire up Chrome Developer Tools. It looks like a form with disabled fields. Why a form instead of rendering out a fake form or something? I can change my KTN and that’s part of the form, why not my name? (yes, this is conflating technical limitations with policy intentions)
Okay, it is a form field and they’ve set the disabled
property.
I wonder what happens if I enabled it and save changes…
They wouldn’t implement
policy rules strictly in code on a computer they don’t control, would they?
Wow. It looks like it saved. That can’t be right. I log out and back in. Name is still correct! I load the page on my phone, just to rule out cookies. Correct there too! I click to send a new mobile boarding pass to my phone. 😌 Pre✓ 💁 and time for sleep.
Of course, now I’m really excited and can’t sleep so I searched for a security contact or bug bounty site and didn’t find either. So, I asked my FB friends and went to sleep.
In the morning I found out that their networks come close, but don’t directly reach anyone at Delta.
At this point I’m waiting for my flight and try the yolo move for customer service: @ing their twitter account.
One of their security folks reached out just as I was boarding the flight. We had a brief chat, they emailed me from their @delta.com email, and I sent over repro steps and some screenshots.
I got a reply confirming that they considered this a security issue and a “this is a great finding” thank you, which made my day.
They gave me a timeline for when they’d have it patched that was significantly shorter than I’d anticipated, which was encouraging to see as a customer.
Delta now has server-side validation for the “Secure Flight Passenger Data form. If you try to change a field it comes back as “null”, but reverts to "” on page refresh.
Thankfully they did not revert my name change, though they did note that I changed it and wished me happy 🏳️🌈 pride.
I am curious why Delta doesn’t handle online name changes. I haven’t had to call customer service or whatever with other airlines.
Yes, this is a pretty simple hack, but it’s still a hack.
Would I have appreciated some kind of bounty? Sure, but that’s not what drives me. Besides, accepting one would have likely conflicted with work rules.
My prior work was either ignored by vendor (breaking a Motorola-proprietary encryption algo at $OLDWORK
)
or legally encumbered by vendor NDAs at $WORK
, so I’m glad to have a discovery with a
positive outcome that I can talk about.