[ISN] aa.com not encrypting customer transaction data

From: InfoSec News (isnat_private)
Date: Tue Sep 18 2001 - 01:03:30 PDT

  • Next message: InfoSec News: "Re: [ISN] September 11th Does Not Mean Cyberwar is Coming"

    Fowarded from: "Jay D. Dyson" <jdysonat_private>
    Courtesy of Bugtraq.
    It would appear that American Airlines' security problems aren't the
    exception...they're the rule.
    - ---------- Forwarded message ----------
    Date: Mon, 17 Sep 2001 10:39:06 -0700
    From: Chris Fairbourne <chris.fairbourneat_private>
    To: "'bugtraqat_private'" <bugtraqat_private>
    Subject: aa.com not encrypting customer transaction data
    Looks like aa.com (American Airlines) is NOT encrypting customer data for
    purchasing e-tickets.
    Hopefully this isn't still the case by the time this posts.
    This hold true for both Advantage login and non-members as well.
    At no time did I get a redirect to an SSL server for my session.
    Taking a peek at the "Passenger Details" page source, no where do you find
    "https" or ":443", hmm.
    Next I make a phony submission and low and behold this is what I grabbed:
    " f o r m % C I _ C r e d i t C a r d T o U s e _ C a
     r d N u m b e r "   v a l u e = " 4 3 2 3 5 0 1 9 8 3 5 1 9 9 9 9 "
    I've made serveral phone calls to aa.com and generated a few e-mail. 
    I can't convince them I'm wrong, so I bring it to this forum.
    Chris Fairbourne
    pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x371E73BB 
    fingerprint: 7AE3DCC82215697A0C3F61C4968FCFDB371E73BB 
    Version: 2.6.2
    Comment: See http://www.treachery.net/~jdyson/ for current keys.
    -----END PGP SIGNATURE-----
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 03:04:14 PDT