Fowarded from: "Jay D. Dyson" <jdysonat_private> -----BEGIN PGP SIGNED MESSAGE----- Courtesy of Bugtraq. It would appear that American Airlines' security problems aren't the exception...they're the rule. - ---------- Forwarded message ---------- Date: Mon, 17 Sep 2001 10:39:06 -0700 From: Chris Fairbourne <chris.fairbourneat_private> To: "'bugtraqat_private'" <bugtraqat_private> Subject: aa.com not encrypting customer transaction data Looks like aa.com (American Airlines) is NOT encrypting customer data for purchasing e-tickets. Hopefully this isn't still the case by the time this posts. This hold true for both Advantage login and non-members as well. At no time did I get a redirect to an SSL server for my session. Taking a peek at the "Passenger Details" page source, no where do you find "https" or ":443", hmm. Next I make a phony submission and low and behold this is what I grabbed: " f o r m % C I _ C r e d i t C a r d T o U s e _ C a r d N u m b e r " v a l u e = " 4 3 2 3 5 0 1 9 8 3 5 1 9 9 9 9 " I've made serveral phone calls to aa.com and generated a few e-mail. I can't convince them I'm wrong, so I bring it to this forum. Chris Fairbourne pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x371E73BB fingerprint: 7AE3DCC82215697A0C3F61C4968FCFDB371E73BB -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBO6ZTXblDRyqRQ2a9AQG92QP/fEs4SbpOnrHL9v+souHFK5+Lt4pmHn4G EtHF2G5s4oYaYVvJIS+QpuBw0DszoUXN6YI1kfZuDTkvBqsl2PkVsYuajy3qiCj0 yHeuXn35yAe/zK5HPwVGVmrBXN+6mSC69fTBskLHprAF5MZmDzZDJdgaasLZm9lu SzbSIAAb+ro= =yK2M -----END PGP SIGNATURE----- - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 03:04:14 PDT