- Jul 22, 2014
- 2,525
Fly the insecure skies
International airline Emirates leaks customers' sensitive personal information to third-party marketing partners and network adversaries, according to Konark Modi, a data security engineer for Cliqz, a privacy-focused browser based on Firefox.
Modi, in an online post on Friday, said that after a customer books a flight through Emirates, the process of managing the reservation shares personally identifiable information with over a dozen third-party trackers, including Boxever, Coremetrics, Crazy Egg, Facebook, and Google.
The data includes: customer name, customer email, itinerary, phone number, passport number and details, and brings with it the ability to edit this information.
The Emirates privacy policy makes clear some data sharing may occur. But the policy language stops short of declaring a wholesale customer data giveaway or granting the ability to alter reservations.
Modi said his argument is not against using third-party trackers. "The concern lies when such services are implemented across all pages of the website, without distinguishing between what is private data and what is not," he said, noting that not all such services should have access to the full spectrum of customer data.
The reservation confirmation email, when clicked, Modi explains, takes the user to Emirates website, which is festooned with trackers – code that captures data on behalf of a marketing partner.
And because the initial link relies on the insecure HTTP protocol, related data is potentially accessible to a network-based man-in-the-middle attack.
In an email to The Register, Modi described several scenarios by which such information could be abused:
...
...
...
Modi contends that other airlines like KLM and Lufthansa exhibit similarly lackluster data security practices, or at least did so when he checked last October. He says that the problem isn't so much the usage of third-party services as how these services are implemented.
Trackers like Facebook and Google Analytics allow companies to track individuals across the internet and potentially to de-anonymize them, said Modi.
"The key point here is the user never signed for this, all s/he did was surf the internet," he explained.
...
...
International airline Emirates leaks customers' sensitive personal information to third-party marketing partners and network adversaries, according to Konark Modi, a data security engineer for Cliqz, a privacy-focused browser based on Firefox.
Modi, in an online post on Friday, said that after a customer books a flight through Emirates, the process of managing the reservation shares personally identifiable information with over a dozen third-party trackers, including Boxever, Coremetrics, Crazy Egg, Facebook, and Google.
The data includes: customer name, customer email, itinerary, phone number, passport number and details, and brings with it the ability to edit this information.
The Emirates privacy policy makes clear some data sharing may occur. But the policy language stops short of declaring a wholesale customer data giveaway or granting the ability to alter reservations.
Modi said his argument is not against using third-party trackers. "The concern lies when such services are implemented across all pages of the website, without distinguishing between what is private data and what is not," he said, noting that not all such services should have access to the full spectrum of customer data.
The reservation confirmation email, when clicked, Modi explains, takes the user to Emirates website, which is festooned with trackers – code that captures data on behalf of a marketing partner.
And because the initial link relies on the insecure HTTP protocol, related data is potentially accessible to a network-based man-in-the-middle attack.
In an email to The Register, Modi described several scenarios by which such information could be abused:
...
...
...
Modi contends that other airlines like KLM and Lufthansa exhibit similarly lackluster data security practices, or at least did so when he checked last October. He says that the problem isn't so much the usage of third-party services as how these services are implemented.
Trackers like Facebook and Google Analytics allow companies to track individuals across the internet and potentially to de-anonymize them, said Modi.
"The key point here is the user never signed for this, all s/he did was surf the internet," he explained.
...
...