Tinfoil Security's Ben Sedat recently found that, while booking a flight on United Airlines' Web site, he was able to view the entire passenger manifest. "Kind of scary, and nothing I had any business looking at," he writes.
What's more, Sedat says, several other parts of the site, including the account management page, were broken, displaying "None" for all values.
"He suspects the information leak was the result of improper session management and authentication, a class of vulnerability listed on the Top 10 list maintained by the Open Web Application Security Project," writes Ars Technica's Dan Goodin. "He said he informed a United support representative of the glitch, and was told she couldn't reproduce the problem when she checked his account. When he logged out and logged back on, the errant information was gone."
"I don’t have direct access to United’s code, but I think that my session (likely invalid) was part of the problem, since logging out seemed to solve the problem," Sedat writes. "Sessions, especially long-lived ones, can be tricky to manage. If my session was broken, I should have been issued a new one or in the worst case (from a UX perspective) lost my progress and had to log in again. Instead, it defaulted to showing me things that didn’t belong to me."https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
A day after his initial post, Sedat updated it to state, "United has confirmed that they have found and fixed this specific issue."