Submission + - Southwest Airlines iPhone app vulnerable to hackers
davidstites writes: "I am a masters computer science student at University of Colorado at Colorado Springs and in November I performed a security audit of 230+ popular iOS applications because I wanted to know how secure apps on smartphones and tablets really are.
I made a shocking discovery. The largest single potential security breach was with the Southwest Airlines application. Southwest Airlines’ iPhone app leaves a user’s information vulnerable to hackers. When you login to the application on your phone using your Rapid Rewards account, the app submits your username and password information as plain-text (unencrypted) to a Southwest remote server (mobile.southwest.com). A potential attacker can simply sniff for the data on the network and steal it. This situation is a hackers dream!
If a victims credentials were captured, a hacker could use those credentials to login to that particular account and they would have access to anything the victim would have access to, such as addresses, birthdays, e-mail, phone and credit cards. They could even book a flight in the victims name. This not only obviously worrisome from the standpoint of a potential attacker fraudulently using a victims account and credit card information, but also due to the possibility of terrorist threats in air travel. At the very least, this discovery uncovers the potential for identity theft and at the very worst, it is a complete breakdown in national air travel security.
The possibility of being able to capture this data is especially probable since Denver International offers free WiFi and it is an unencrypted network. The probability that a Southwest passenger would login to their account is also quite high since they have an entire terminal to themselves (C concourse). However, this could occur on any unencrypted or encrypted network.
Consider the possibility of a person who is currently (and rightfully) on the Department of Homeland Security’s “No-Fly” list. If this person were able to capture a victim’s credentials and create a fake ID, he could pass through TSA security without being stopped.
I don't know how Southwest Airlines let this happen, but sometimes companies have to decide between security and the bottom line. Companies rush to get products out, the engineering dollars are not there to complete the project, so security falls to the back. Usually, security is not thought of as a benefit, until it fails.
I contacted Southwest when the vulnerability was found in early December and they still have not released a patch as of today and they have never contacted me back about the vulnerability. Until the security flaw is fixed, the best solution is to not use the application.
A full list of applications with vulnerabilities can be found at http://blog.afewguyscoding.com/2011/12/survey-mobile-device-security-threats-vulnerabilities-defenses/.
Additionally, some local NBC (http://www.koaa.com/news/uccs-student-points-out-phone-security-concerns/) and ABC (http://www.krdo.com/news/30422585/detail.html) news stations and the Denver Post covered this story (http://blogs.denverpost.com/techknowbytes/2012/02/09/southwest-airlines-iphone-app-vulnerable-to-hackers-study-says/3264/)."
I made a shocking discovery. The largest single potential security breach was with the Southwest Airlines application. Southwest Airlines’ iPhone app leaves a user’s information vulnerable to hackers. When you login to the application on your phone using your Rapid Rewards account, the app submits your username and password information as plain-text (unencrypted) to a Southwest remote server (mobile.southwest.com). A potential attacker can simply sniff for the data on the network and steal it. This situation is a hackers dream!
If a victims credentials were captured, a hacker could use those credentials to login to that particular account and they would have access to anything the victim would have access to, such as addresses, birthdays, e-mail, phone and credit cards. They could even book a flight in the victims name. This not only obviously worrisome from the standpoint of a potential attacker fraudulently using a victims account and credit card information, but also due to the possibility of terrorist threats in air travel. At the very least, this discovery uncovers the potential for identity theft and at the very worst, it is a complete breakdown in national air travel security.
The possibility of being able to capture this data is especially probable since Denver International offers free WiFi and it is an unencrypted network. The probability that a Southwest passenger would login to their account is also quite high since they have an entire terminal to themselves (C concourse). However, this could occur on any unencrypted or encrypted network.
Consider the possibility of a person who is currently (and rightfully) on the Department of Homeland Security’s “No-Fly” list. If this person were able to capture a victim’s credentials and create a fake ID, he could pass through TSA security without being stopped.
I don't know how Southwest Airlines let this happen, but sometimes companies have to decide between security and the bottom line. Companies rush to get products out, the engineering dollars are not there to complete the project, so security falls to the back. Usually, security is not thought of as a benefit, until it fails.
I contacted Southwest when the vulnerability was found in early December and they still have not released a patch as of today and they have never contacted me back about the vulnerability. Until the security flaw is fixed, the best solution is to not use the application.
A full list of applications with vulnerabilities can be found at http://blog.afewguyscoding.com/2011/12/survey-mobile-device-security-threats-vulnerabilities-defenses/.
Additionally, some local NBC (http://www.koaa.com/news/uccs-student-points-out-phone-security-concerns/) and ABC (http://www.krdo.com/news/30422585/detail.html) news stations and the Denver Post covered this story (http://blogs.denverpost.com/techknowbytes/2012/02/09/southwest-airlines-iphone-app-vulnerable-to-hackers-study-says/3264/)."
