[ISN] Ryanair admits to serious website flaw

From: InfoSec News (isnat_private)
Date: Fri Nov 02 2001 - 00:44:21 PST

  • Next message: InfoSec News: "[ISN] (Update): Terrorists and use of hidden messages"

    http://www.vnunet.com/News/1126560
    
    By Liesbeth Evers 
    Network News 
    [31-10-2001]
    
    Ryanair has admitted that its online recruitment website has a serious
    security flaw which exposes job seekers' details to the eyes of
    crackers.
    
    Sensitive personal information, such as credit card details, health
    records and career history, is collected by the unsecured site and
    sent in unencrypted email to the company's back office.
    
    The flaw potentially breaches the Data Protection Act, which came into
    force last week. Chris McAlpine, of the Information Commissioner's
    Office, said: "The transfer has to be secure, especially for sensitive
    data."
    
    Phil Robinson, managing consultant at Information Risk Management,
    pointed out that the inclusion of credit card details made the
    vulnerability "very serious". Unlike personal data, credit card
    details can easily be turned into money.
    
    The only way a pilot can apply for a job at Ryanair is via the
    internet. The recruitment data contains credit card information
    because Ryanair refuses to consider applications unless a 50 fee is
    paid.
    
    Embarrassingly for the airline, this vulnerability is easy and cheap
    to avoid. Secure socket layer (SSL) security, the encryption feature
    in the software, should be switched on and the company then has only
    to spend a few hundred pounds on a digital certificate to ensure that
    data is sent to the correct party instead of to a rogue server.
    
    "Securing a site through SSL is usually a very simple job," said
    Robinson. "Without it, a network sniffer can pick up unsecured data
    passing through a cable modem or the local site of the internet
    service provider. Or someone can spoof Ryanair's domain name and set
    up a rogue server to receive data from an imitated site."
    
    Michael O'Leary, chief executive at Ryanair, admitted the security
    blunder to the BBC last week, and promised that the leak would be
    fixed by this week. Ryanair has since refused to comment on the
    situation, although O'Leary maintained that it had not deterred job
    applicants from using the site.
    
    Ryanair's recruitment site states explicitly that applicants'
    information will remain confidential. "That is clearly incorrect,"
    said Robinson. "The way the data is submitted is totally
    unconfidential."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Nov 02 2001 - 03:08:16 PST