Lufthansa data leak: What a single URL can reveal about you
Anyone who knows the URL of a Lufthansa booking details page can view, change or delete all the data listed there, including personal information up to passport numbers. Emirates, FedEx, Foodora, and JustFly have similar issues.
There is a little-known but widespread privacy and security problem: telltale URLs. They allow third parties access to information that customers provide during online transactions. This often includes personally identifiable information (PII) such as name, address, phone number, email address, credit card information, travel plans or even passport number.
Filling in online forms with our personal information is part of our daily transactions with companies. When you order food, buy concert tickets or book a flight online, you will usually receive an email confirmation with a unique URL that, when clicked, takes you directly to an order/booking details page, with no need to log back into the site. On this page you can check your order again, make changes or cancel a booking. This is convenient but sometimes dangerous.
How third parties can access personal booking data
Of course, you assume that the information on the order/booking details page can only be accessed by yourself. However, this data can be viewed by anyone who has access to the web address of this page. The URLs, linked in confirmation emails, often contain specific strings that are used as a unique identifier. Whoever gets access to these unique URLs can simply open them (be it manually or using bots) and see, extract and even change or delete the personal information you provided as a part of your online transaction.
Now, you may ask: “These transactions are between me and my service provider’s website or app. How do external entities get access to these URLs?“ Here’s where third-party tracking scripts come into play. E-Commerce companies often add these third-party scripts to their websites and apps to provide analytics, advertising and other plug-in functionality. When not carefully implemented, these scripts can capture the unique URLs pointing to an order/booking details page – meaning that third parties now have access to all that data.
Customers of Lufthansa, Emirates, FedEx, Foodora and JustFly affected
We already discussed at length how careless some companies are when it comes to your data and your privacy. Another example in this case is Lufthansa. The link in their usual confirmation email leads to a booking details page where passenger data including visa information and passport numbers can be changed, all of which are stored in plain text. In addition, all payments you made during the transaction can be viewed and your receipt can be downloaded. It is also possible to print your itinerary. As already mentioned, all this works without having to log into the Lufthansa website again – one click on the unique URL is enough!
When you book your flight through Lufthansa, there are many data points related to your booking. The moment you click on ‘view / edit booking’ to select a seat for your trip or to check-in to your flight, details unique to your booking are passed on to different third-party trackers like Exactag, Webtrends, and Google among others. Theoretically, this information can later be used to create a detailed profile of how the user navigates on different websites and to learn who that actual user is.
And Lufthansa is by no means an isolated case. This problem of leaking user information is definitely not limited to a few but is widespread among most of the websites you can think of. Similar issues can be observed with Lufthansa competitor Emirates, the food delivery service Foodora, the courier delivery service FedEx and the online travel agency JustFly. Even healthcare websites are affected.
Local Sheriff chases down the bad guys
Most of the time, neither the e-commerce companies nor their customers are aware of the potential privacy leaks caused by telltale URLs. To show and educate the users about the extent of privacy leaks, Cliqz has developed the experimental browser extension Local Sheriff, which was recently presented at the Defcon Demo Labs in Las Vegas (For more details, see this Threatpost article). Think of Local Sheriff as a reconnaissance tool in your browser for gathering information about what tracking companies know about you.
While you browse the web as usual, the tool works in the background to empower you in identifying what data points (PII) are being shared/leaked to which all third-parties by which all websites. It operates locally on your device, hence the name. Local Sheriff is available as a free extension for Chrome. The source code is publicly accessible on GitHub. A demo video can be found here. Ghacks already subjected Local Sheriff to a quick test and calls it “a well-designed privacy extension.”
Note: In a previous version of this blog post BuySellAds was erroneously listed as a third-party tracker on the Lufthansa website due to a database error. We apologize for that.