Norwegian programmer Roy Solberg came across an enumeration bug that leaked the full name of all travelers on a booking, the email addresses used, and flight details from Thomas Cook Airlines’ systems using only a booking reference number. Simply changing the booking number unveiled a new set of customer details.
The exposed info covered trips booked through the travel agency Ving, which is owned by Thomas Cook.
Thomas Cook Airlines has closed the privacy hole, technically known as a Insecure Direct Object Reference (IDOR), a common enough and basic problems on poorly-designed web applications.
Solberg reckoned on Sunday that data of bookings made with Thomas Cook Airlines through Ving Norway, Ving Sweden, Spies Denmark and Apollo Norway were affected by the vulnerability. Data going back to 2013 was obtainable before the hole was closed. Simple scripts might easily have been used to download the exposed data before the security hole was resolved, he adds.
Everything’s fine! Nothing to see here
A spokeswoman for Thomas Cook was at pains to emphasise “this did not affect UK customers,” before forwarding a canned statement further downplaying the incident, which it is not treating as a notifiable privacy breach.