Hundreds of vulnerabilities found on American Airlines, Lastminute, Marriott, EasyJet and British Airways websites

Recent research has revealed the finding of hundreds of security flaws on the websites of the world’s largest airlines, travel agencies and hotel chains.

After analyzing the websites of dozens of partner companies and brands, experts reported that the highest concentration of security errors is found on the platforms of companies such as British Airways, EasyJet and Marriott, in the case of the hotel chain, researchers found more than 400 vulnerabilities on all their websites; the worst part is that these companies have already suffered severe information security incidents and their defense systems remain unstop improving.

La imagen tiene un atributo ALT vacío; su nombre de archivo es which01.jpg

The research was conducted by Which?, in collaboration with security firm 6point6, who assessed security at a total of 89 sites operated by these companies, including domains and subdomains. 

Researchers claim that they did not employ advanced hacking techniques in this process, but were limited to the use of completely legal and publicly available tools to search for poorly protected information. This is important, as it demonstrates the ease of accessing this information, supposedly secured.

Marriott, frequent guest on these lists

As mentioned in previous paragraphs, Marriott presents hundreds of errors on its websites. Researchers discovered a total of 497 vulnerabilities on all websites operated by the company, including 96 high severity failures that could be exploited to compromise the information of millions of users.

Which? Research was held just a month after the hotel chain was fined with £10 million by the UK Information Commissioner’s Office (IPO) for a security incident exposing the information of millions of customers and employees.

Frequent flaws at EasyJet

A few months ago EasyJet revealed that it suffered a security incident that would have affected nearly 10 million customers. Although the company pledged to improve its security, researchers found 222 vulnerabilities in nine airline-controlled domains.

Among the flaws found on EasyJet platforms is a critical error that, if exploited, would allow threat actors to hijack the session in a target user’s browser, allowing the theft of private information.

British Airways falls into the same mistakes

Which? analysis detected at least 115 weaknesses on British Airways websites, noting that 12 of these failures could be considered critical. Last year, a group of hackers managed to extract the names, email addresses and financial data of at least 500,000 customers of the airline by exploiting various flaws in their systems. The ICO set a fine of £183 million for the company, although this has not helped them learn their lesson.

La imagen tiene un atributo ALT vacío; su nombre de archivo es which02.jpg

Travel agencies are not safe

Analyzing the 153 subdomains belonging to the Lastminute travel agency, researchers found multiple vulnerabilities that would allow threat actors to manipulate legitimate websites to access sensitive information such as session cookies, committing their users’ browsing data. 

Potential risk on American Airlines

Investigators analyzed sites controlled by American Airlines although American Airlines has not suffered such a security incident, finding more than 290 vulnerabilities, of which 30 could be considered critical. It should be mentioned that an attack on this airline would require authentication on its systems, making it more difficult. 

Some of the companies have already commented on this research, committing to improve their security practices, however, there are still many efforts to secure customer data from the tourism industry.