One other idea to consider is that I presented the very worst possibility. At the very least, one could begin to build a profile of someone to steal their identity. And if that is too outlandish to consider, then perhaps the idea of being able to see when they would be gone (because you can see upcoming trips), and then just rob them. Either way, it's negligence on their part, plain and simple.
Slashdot videos: Now with more Slashdot!
Yes, it is true. I demonstrated it to a local news anchor that had an account with Southwest. We sat at Starbucks, me on the other side of the room, and he randomly logged in and I grabbed his password and then presented him with a list of information that I was able to collect, including past and upcoming trips.
Fake boarding passes wouldn't particularly be all that hard to create either with all of the "print-at-home" tickets. Someone with decent photoshop skills should be able replicate one. Obviously it wouldn't get you on the plane, but it would get you past TSA and into the terminal.
Not at least at DIA or COS that I've been involved in although I have heard that at some airports the TSA does random gate/ID checks.
Until these merchants or companies get burned, they continue with the same practices because they figure it's not worth the time to do it right or they can "get away with it." For whatever reason (time, money, lack knowledge), for most companies, security is not considered a benefit until it fails or they are discovered. Perhaps it's time for more strict consequences for instances of negligence such as this.
Yeah it is interesting that they don't. It would certainly be in their best interest to do something like that. What I found, particularly with this story, is that many media outlets didn't consider this "news" because no one has had the exploit performed against them. They have to see someone go down before they consider it an issue. Until then, it's just a "threat", not an attack.
Southwest wasn't the only app I found that username and password issues. There is a list below. Note that typically users have a really high rate of password reuse so if we are able to compromise one account, the chances are likely to be able to compromise others.
Cloudette: Username in plaintext and password, hashed with MD5
Gas Buddy: Username and password, hashed with MD5
These two apps (Cloudette and Gas Buddy) are mentioned because you could replay these credentials to login to that account.
Southwest Airlines: Username and password in plaintext
Minus: Username and password in plaintext
Wordpress: Username and password in plaintext
Foodspotting: Username and password
ustream: Username and password
Labelbox: Username and password
Of the 253 applications surveyed, 91.7% had no risk found, 3.1% had a low risk, 2.3% had a medium risk and 2.3% had a high risk. While it would be desirable to have no applications in the “Medium” or “High” category, the number of applications the authors found presented a security risk was both surprising and far too numerous. There are over 500,000 applications on the iOS App Store, so extrapolating the results, there could be at least 15,500 applications in the “Low” risk category and 11,500 applications in the “Medium” and “High” risk category.
You can find the full details here: http://blog.afewguyscoding.com/2012/01/affected-applications-a-survey-mobile-device-security-threats-vulnerabilities-defenses/
I made a shocking discovery. The largest single potential security breach was with the Southwest Airlines application. Southwest Airlines’ iPhone app leaves a user’s information vulnerable to hackers. When you login to the application on your phone using your Rapid Rewards account, the app submits your username and password information as plain-text (unencrypted) to a Southwest remote server (mobile.southwest.com). A potential attacker can simply sniff for the data on the network and steal it. This situation is a hackers dream!
If a victims credentials were captured, a hacker could use those credentials to login to that particular account and they would have access to anything the victim would have access to, such as addresses, birthdays, e-mail, phone and credit cards. They could even book a flight in the victims name. This not only obviously worrisome from the standpoint of a potential attacker fraudulently using a victims account and credit card information, but also due to the possibility of terrorist threats in air travel. At the very least, this discovery uncovers the potential for identity theft and at the very worst, it is a complete breakdown in national air travel security.
The possibility of being able to capture this data is especially probable since Denver International offers free WiFi and it is an unencrypted network. The probability that a Southwest passenger would login to their account is also quite high since they have an entire terminal to themselves (C concourse). However, this could occur on any unencrypted or encrypted network.
Consider the possibility of a person who is currently (and rightfully) on the Department of Homeland Security’s “No-Fly” list. If this person were able to capture a victim’s credentials and create a fake ID, he could pass through TSA security without being stopped.
I don't know how Southwest Airlines let this happen, but sometimes companies have to decide between security and the bottom line. Companies rush to get products out, the engineering dollars are not there to complete the project, so security falls to the back. Usually, security is not thought of as a benefit, until it fails.
I contacted Southwest when the vulnerability was found in early December and they still have not released a patch as of today and they have never contacted me back about the vulnerability. Until the security flaw is fixed, the best solution is to not use the application.
A full list of applications with vulnerabilities can be found at http://blog.afewguyscoding.com/2011/12/survey-mobile-device-security-threats-vulnerabilities-defenses/.
Additionally, some local NBC (http://www.koaa.com/news/uccs-student-points-out-phone-security-concerns/) and ABC (http://www.krdo.com/news/30422585/detail.html) news stations and the Denver Post covered this story (http://blogs.denverpost.com/techknowbytes/2012/02/09/southwest-airlines-iphone-app-vulnerable-to-hackers-study-says/3264/)."