Flight booking platform Option Way exposes customer and internal data

Researchers from vpnMentor security firm have recently discovered a huge data breach in flight booking platform Option Way.

Researchers at vpnMentor discovered a huge data breach in flight booking platform Option Way as part of a web-mapping project.

Option Way service allows its users to find flight deals to and from destinations around the world.

The research team lead by Noam Rotem and Ran Locar scans familiar IP blocks to find security flaws that would lead the organizations to a data breach.

The experts discovered that a huge portion of the database used by the Option Way platform is completely unprotected and unencrypted.

“The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via a browser and manipulate the URL search criteria into exposing huge amounts of data.” reads the analysis published by the experts.

“Option Way customers and the airlines on their platform must be aware of the risks they take when using technology that makes so little effort to protect their users.”

The experts discovered over 100GB of data, including unencrypted personal details of customers (Customer names, Date of Birth, Gender, Email addresses, Phone, numbers, Home Address & postcode) and information about users’ flights and travel arrangements.

The experts claimed that the following statement published on the website of the platform is not true, because customers’ Personally Identifiable Information (PII) was not encrypted.

“The www.Option Way.com website is protected by an SSL certificate. When you enter your personal data, it is encrypted and stored to let you make transactions. Your personal data is processed in line with the recommendations set out by the CNIL (France’s data protection authority).”

Experts also discovered that the email addresses of Option Way were accessible as a result of ‘incorrect password’ reset links.

vpnMentor warns that combining leaked data it is possible to create a complete user profile of Option Way customers, exposing them to multiple criminal activities and cyber frauds.

Data left unsecured online also expose Option Way to hack because they include employee and company information

“We were able to view the PIIs of staff members that were using the platform to book flights.” continues the analysis.

“During our investigation, we also found the company’s credit card details unmasked and viewable to anybody with access to the database. This was used to book flights for staff members and customers, creating a huge risk for Option Way.”

“By not protecting the company credit card, Option Way is making itself vulnerable to devastating financial fraud.”

Below the timeline of the discovery shared by the experts:

Date discovered: 20/08/19
Date vendors contacted: 25/08/19
Date of Response: 29/08/19

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – data breach, Option Way)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.