AKASA AIRLINE FOUND EXPOSURE OF PASSENGER DATA

October 15, 2022
|In Security
|By Security Team

Introduction:

The newest domestic airline in India, Akasa Airline, launched on 7th August and reported a data breach on 22 August 2022. The organization has reported the details of the incident to the team of CERT-In (Indian Computer Emergency Response Team) and implemented all the necessary measures. The organization stated that the data breach does not disclose user travel or payment information.

Attack process:

On the same day of its launch, Ashutosh Barot, a security researcher, discovered a bug in the company website. He stated that the issue was found during the account registration process, which is the root cause of exposing user data such as names, gender, email addresses, and phone numbers.

According to Barot’s analysis, the flaw was in the functionality of the company website, where users can register themselves to create a profile by giving some basic credentials such as user name, mobile number, email addresses, etc., Barot stated that he had registered a profile on akasaair.com and logged into it. Later he searched for his own PII in burp responses. He identified an HTTP request that gave his name, mobile number, email address, gender, etc., in JSON format. He attempted to change a few parameters in the request that gave him access to another user’s PII. He also mentioned that it took approximately 30 minutes to identify that issue. Then he reached out to the security team of akasaair.com and explained the situation. Akasa air stated that it had immediately shut down its system upon receiving the report to assimilate additional security controls. They also reported the incident to the team of CERT-In.

Impact:

The company pointed out the issue as a temporary technical configuration error and said there was no trace of a breach regarding the user’s travel information or payment details. The data, such as name, email address, mobile number, and gender, might have been accessed by unauthorized users. They have also stated that the technical issue was not fully exploited.

Remediation:

The organization fixed the issue within two weeks. It has alerted the users about the incident and advised them to be conscious of potential phishing attacks. They have implemented measures to prevent similar risks in the present and future scenarios.

  • The company immediately blocked the unauthorized access after becoming aware of it, by shutting down the corresponding functional aspects of its system.
  • They have implemented additional safeguards to solve this scenario and resumed login and sign-up services.
  • Reported the incident to CERT-In.
  • Notified the affected users and advised them to be conscious of potential phishing attacks.