It seems that if you use a certain url on the Aer Lingus site you can access the account details of whoever logged into some sections last. I logged into the Gold Circle section and when someone logged in after me the got the below details. I’m not the only one. Anyone that clicks on the url (which seems to be just a general url with session details) will see details of anyone who logged in last. I rang customer care who are not equipped to deal with this in fairness and they asked me to email in the url. Twenty mins later and I still can’t find an email address on their site that I can email. They seem to think fax is enough for Irish people. Oh and their Aer Lingus queries site is down so I can’t send in my “query” via there.
Not that I have much of a clue about security but it appears to be a simple session hikack, although not intentional. The url sent to me and others by someone linking to the Gold Circle page contained session details and for some reason when registering after that for Gold Circle and logging out, the next person in could see the details of the previous person. If they hadn’t logged out yet you got the screen cap from above but if they logged out you saw “just” their email address. A very obvious data breach.
The worrying thing is that this technique might be used to get even more details from accounts including credit card details. So on Easter Sunday I am told I should email this into customer care, if I can find their email details. I’m still looking.
Update: Email to customer care:
My personal data was accessed by other people.
My mobile number is +353
I already called about this at 3pm today. I was told to fill this form in. There has been a data security breach on your site which has ended up with my personal data being exposed via the Gold Circle section of Aer Lingus website. It has happened to others too and I believe they have made contact.
The clock started ticking for me at 3pm and I would like to be contacted and assured that this data breach is being taken seriously and that a report will be issued as to what happened. I would also like to be updated on the progression of the investigation of this issue.
I have also put this issue on my website: http://url.ie/aln and will be updating it as time goes by.
Thank you.
Damien Mulley
Update 2 @19:11 – Well Aer Lingus took down the site for a while but the issue is still there. James Galvin shared a url and when I clicked on it, I got his fake account details:
Including his credit card details, though he didn’t put them in:
The very worrying thing is that it was sheer accident that some of us happened upon this. Is this a temporary bug or has it been around all the time? Can session IDs be predicted?