Privacy breach: Greyhound Australia ticketing system flawed – EFTM

Privacy breach: Greyhound Australia ticketing system flawed

Sometimes we take for granted the simple security measures put in place to protect our privacy.  Take for example the need to enter both your booking reference number, and...

Sometimes we take for granted the simple security measures put in place to protect our privacy.  Take for example the need to enter both your booking reference number, and your surname into an airline website before you can see a copy of the e-ticket for travel.  Now imagine you could just enter any set of random numbers and no other details to bring up the itinerary of someone who has booked a bus journey – it’s a huge security hole which leaves the privacy of thousands of travellers wide open and it happened right here in Australia to Greyhound Australia.

Exposed tonight on Channel 9’s A Current Affair by reporter Rohan Wenn this simple error meant that by simply typing in any series of digits into the URL (Web Address) used by passengers to download their own e-ticket would likely show you another travellers name and itinerary plus the price they paid.

 

A full passenger itinerary - available simply by changing the Ticket Number in the web URL

A full passenger itinerary – available simply by changing the Ticket Number in the web URL

While at the face of it this could be seen as a small problem, consider the privacy that should come with someone’s travel itinerary.  Is the person meant to be away from work, does their family know they are going away, and perhaps most alarmingly what could a potential burglar do with the information – knowing you are away from home for a set period.

Greyhound sent A Current Affair a written statement 4 days after being told of the bungle. They thanked A Current Affair for telling them about the “potential breach in privacy”, however as reporter Rohan Wenn points out “there was nothing potential about it. It actually happened.

They also tried to downplay its seriousness by pointing out they hadn’t received any customer complaints about the issue”

In the story that aired tonight, Rohan approached travellers whose itineraries he had found on the site  “They were all very surprised to see us and understandably more surprised to discover we had copies of their tickets. We approached them simply to see if what we had uncovered was correct, that we had found real, existing tickets for future dates. Unfortunately, it was correct.”

One passenger in particular was extremely disturbed, fearing for her safety if someone in her life knew her whereabouts. Obviously, we did not put her to air in our story.”

Since the investigation by A Current Affair the site has removed the online ticketing flaw, and while that should give some comfort to those travelling it does little to change the fact that the flaw existed – probably for as long as the company has had an online e-ticket download service.

The flaw was this simple – you are at a website where the PDF ticket for your journey is available to print or save.  The Website URL (Address) ends with your own ticket number. Increase that number by 1 or any number, and you’ll likely find someone else’s valid ticket.

Ticket Number corresponded to the website URL

Ticket Number corresponded to the website URL

How could this happen?  Well it is quite possible that the idea of a “downloadable ticket” was created along with a website and IT upgrade at the company, and with web development being a straight forward “give them what they want” driven process, the checks, balances and steps that larger travel organisations would put in place were simply not considered.

Begs the question – what other ticketing sites might suffer from the same simple flaw?

Greyhound offered no explanation for the error, only a simple “thank you” for contacting them, and that they’d fixed the problem.

Watch the full story from A Current Affair at their website: http://aca.ninemsn.com.au

Categories
Tech

Trevor produces two of the most popular technology podcasts in Australia, Your Tech Life and Two Blokes Talking Tech. He has a weekly radio show on 2UE, as well as appearances across the country and regularly provides Technology Commentary to Channel 9’s Today Show and A Current Affair. Father of three, he is often found down in his Man Cave. Like this post? Buy Trev a drink!
4 Comments on this post.
  • A. Clue
    23 April 2014 at 2:39 pm
    Leave a Reply

    > How could this happen? Well it is quite possible that the idea of a “downloadable ticket” was created along with a website and IT upgrade at the company, and with web development being a straight forward “give them what they want” driven process, the checks, balances and steps that larger travel organisations would put in place were simply not considered.

    I hate speculative nonsense like this. Does that mean that every company recently hit by the Heartbleed vulnerability were also “give them what they want” driven, and small players in their respective industries? I think Google would be very surprised to hear that, for one.

    It is, what it is – an oversight in a piece of software, written under tight deadlines, tight budgets, and I can guarantee you that the perceived size of the organisation has nothing to do with it.

    • Trevor Long
      24 April 2014 at 4:43 pm
      Leave a Reply

      Hey Anonymous – I’m assuming you wrote the code for the Greyhound website – otherwise, you’re just a gutless online commenter – so good luck with that. Crawl back under your rock and enjoy the view.

      • A. Clue
        30 April 2014 at 1:10 pm
        Leave a Reply

        Hey InternetWarrior – No, I had nothing to do with the Greyhound website, but have worked in the industry for over 10 years, have dealt with PCI and security audits, and have worked on projects that handle data in ways that would make your stomach turn.

        So yeah, you’re right, I do live under something, but it’s not a rock, it’s the piles of shit that people like yourself, without a clue, dump on developers without understanding the implications of their demands, or the compromises that are being made.

        I’ve seen “Security” companies that charge 5 figures for an audit, send me back reports that include their own source code because they’re not competent enough to actually perform a proper audit, meanwhile the developers are being overworked, and understaffed because the client won’t pay those same 5 figures to hire another developer, who would have eased pressure and resulted in better code to begin with.

        I’ve seen IT Managers and Company Directors refuse to let developers have access to staging copies of sensitive data, so that they can implement proper cryptography on the systems, despite the fact that the production database where the sensitive information is stored, has no master password, and no access control.

        So yeah, I’m anonymous, not because I’m scared of you, but out of a sense of responsibility for what people could do if they looked me up and investigated what products I’ve worked on/around/for.

        Meanwhile you’re comfy on your sofa, enjoying the work of primarily 2 guys who have worked many sleepless, thankless,unpaid nights to bring you the most widely used security system in the world. Congrats to you.

  • A. Clue
    30 April 2014 at 2:35 pm
    Leave a Reply

    Oh, and funnily enough, the “checks, balances and steps that larger travel organisations would put in place” actually lines up with my travel-related client (11-figure revenues, 6-figure staff) who ordered the security audits from a company that leaked it’s own source code during the audit…

    So again – it has nothing to do with how big or small the companies are, and everything to do with the pressure the development teams are placed under – and trust me when I say, the developers aren’t the ones following a “give them what they want” process, they’re following a “give them what we said wasn’t realistic, but the managers agreed to anyways” process.

  • Leave a Reply

    *

    *