Akasa Air, India’s newest commercial airline, exposed the
personal data belonging to its customers that the company blamed on
a technical configuration error.
According to security researcher Ashutosh
Barot[1], the issue is rooted in
the account registration process, leading to the exposure of
details such as names, gender, email addresses, and phone
numbers.
The bug was identified on August 7, 2022, the same day the
low-cost airline commenced its operations in the country.
“I found an HTTP request which gave my name, email, phone
number, gender, etc. in JSON format,” Borot said[2]
in a write-up. “I immediately changed some parameters in [the]
request and I was able to see other user’s PII. It took around ~30
minutes to find this issue.”
Upon receiving the report, the company said[3]
it temporarily shut down parts of its system to incorporate
additional security guardrails. It has also reported the incident
to the Indian Computer Emergency Response Team (CERT-In).
Akasa Air emphasized that no travel-related information or
payment details were left accessible and that there is no evidence
the glitch was exploited in the wild.
The airline further said it has directly notified affected users
of the incident, although the scale of the leak remains unclear,
adding it “advised users to be conscious of possible phishing
attempts.”
References
Read more https://thehackernews.com/2022/08/indias-newest-airline-akasa-air-suffers.html