Why just love? even data is in the air! 🛩❤🛫❤✈

Well, it is one of the most established airline companies. So obvious focus would be on the Aeroplanes, its maintenance, physical safety and security of the travelers, its customer service and the cost. But in a digitally connected world, where a complex Electro-Mechanical structure like aircraft is tightly coupled with Computer systems, it is ridiculous to see the sensitive data of the Aircraft company is neglected.

Yes, this airline company’s login is having two components — a username and a password like any other website. Guess what? The username is the employee number and the password is their date of birth! On top of this, there is no anti-automation applied or what we usually refer to as rate-limiting. In simple terms, rate-limiting means, when we keep on providing invalid credentials, maybe after 3 or 5 such wrong attempts, the account will be locked. But here, they have not even enforced such basic security features. How long will it take for us to brute force the authentication by an automated script using wordlists and payloads?

Of course, attempts are made to let the CIO and concerned authorities of the company know about this vulnerability. But it seems they are absolutely not bothered.

Now the most important question, What are the details you can get when you are able to successfully log in to this airline employee portal? Bank account details of the employees, their compensation or CTC details, their PF account details, their IT and Form 16 details, etc.

Wondering which is that great airline company? It is one amongst the below mentioned 😉

Vistara

Air India

Air Asia

Truejet

Jet Airways

Alliance Air

Goair

Indigo

Spice Jet