Hacking for Pre✓

Secure Flight Passenger Data that wasn’t, or Client side validation for the win!

Earlier this month I went on a work trip to Iowa. Of course I forgot to pack and spent the evening before rushing to prep my backpack. Finally get my bag packed, go to bed, and remember that I need to check in. So, I check in online while half asleep.

So far so good, but then I notice that there’s no TSA Pre✓ symbol on my eBoarding pass. This is not ideal because of lines and body scanner fun. At this point I start clicking around Delta’s website looking for the Pre✓ section.

Discovery

I found the problem on Delta’s “basic info” page: My passenger name was correct, but whoever fixed it last time didn’t update my name under the “secure flight passenger data” section.

That mismatch with my KTN was enough to not show Pre✓ on my boarding pass.

Delta passenger profile

I clicked edit hoping for a quick fix but the form fields were greyed out. Now I’m getting a bit anxious. Searching online shows that they want you to call them for any changes. It’s 2 AM and I really do not like calling people.

Now Sleepy Jade Brain™ kicks in and has just enough hope and desperation to fire up Chrome Developer Tools. It looks like a form with disabled fields. Why a form instead of rendering out a fake form or something? I can change my KTN and that’s part of the form, why not my name? (yes, this is conflating technical limitations with policy intentions)

Delta form field disabled

Okay, it is a form field and they’ve set the disabled property. I wonder what happens if I enabled it and save changes… They wouldn’t implement policy rules strictly in code on a computer they don’t control, would they?

Wow. It looks like it saved. That can’t be right. I log out and back in. Name is still correct! I load the page on my phone, just to rule out cookies. Correct there too! I click to send a new mobile boarding pass to my phone. 😌 Pre✓ ‍‍💁 and time for sleep.

Disclosure

Checking with FB friends that might have contacts at Delta

Of course, now I’m really excited and can’t sleep so I searched for a security contact or bug bounty site and didn’t find either. So, I asked my FB friends and went to sleep.

In the morning I found out that their networks come close, but don’t directly reach anyone at Delta.

At this point I’m waiting for my flight and try the yolo move for customer service: @ing their twitter account.

The old twitter shoutout

One of their security folks reached out just as I was boarding the flight. We had a brief chat, they emailed me from their @delta.com email, and I sent over repro steps and some screenshots.

I got a reply confirming that they considered this a security issue and a “this is a great finding” thank you, which made my day.

They gave me a timeline for when they’d have it patched that was significantly shorter than I’d anticipated, which was encouraging to see as a customer.

Resolution

Delta now has server-side validation for the “Secure Flight Passenger Data form. If you try to change a field it comes back as “null”, but reverts to “” on page refresh.

Thankfully they did not revert my name change, though they did note that I changed it and wished me happy 🏳️‍🌈 pride.

I am curious why Delta doesn’t handle online name changes. I haven’t had to call customer service or whatever with other airlines.

Closing thoughts

Yes, this is a pretty simple hack, but it’s still a hack.

Would I have appreciated some kind of bounty? Sure, but that’s not what drives me. Besides, accepting one would have likely conflicted with work rules.

My prior work was either ignored by vendor (breaking a Motorola-proprietary encryption algo at $OLDWORK) or legally encumbered by vendor NDAs at $WORK, so I’m glad to have a discovery with a positive outcome that I can talk about.