Tell HN: Alaska Airlines website exposes passenger data
JaakkoP Saturday, December 07, 2024TL;DR: Alaska exposes other customers names, record locators, flight information, phone numbers emails, and probably more. I could have canceled or changed these people's flights.
The first time it happened it appeared by seeing "Treat yourself, Samantha" in the website ad for upgrading yourself to Premium class. My name is not Samantha.
I clicked, and saw Samantha Lastname was traveling from Miami to Seattle. There was her phone number, record locator, ticket and mileage numbers, emails and other info. It also would have let me change or cancel her flights.
When I refreshed I got a new person. Trevor. He's going from JFK to SEA, and back to EWR.
I figured this wasn't one-off (yet still serious) bug, and called Alaska Support. They didn't believe me, but once I had rattled off the customer information I had in front of me and told them I'm none of these people, they transferred me to somewhere I thought was a higher up.
The higher-up person verified some information, asked no questions on how to replicate the bug, and asked me to log out and log back in. Once I did, the issue did not show up again. They said they'll send me 3,000 points for reporting. That sounded pretty low to me as it seemed like a serious data leak, but whatever.
I contemplated whether to post about this as I thought it would be interesting for the HN audience to see, but decided against it thinking I'll give Alaska time to fix it.
It's been 4 months now, and today this happened again. I saw an upgrade ad for Sally. Sally and Chris are traveling in the same reservation from Redmond, OR to Seattle in Main Preferred class. Knowing what I was looking at, I figured Alaska had done absolutely nothing to fix the issue.
I have a theory what's causing it as there's something specific that happened before both of these issues, but I'll refrain from posting it here so it's not as easy to exploit. Who knows what else the payload might include.
I took screenshots throughout the process, including some console logs, to document what I saw. I am sharing this here in the hope that the added visibility will finally push Alaska Airlines to address the issue.