After the incident of Worldwide Package Travel Service Ltd (縱橫遊, WWPKG), public raises concerns about the security of their personal data obtained by travel agencies. NOW TV invited VXRL researchers, Anthony Lai and Alan Ho, to test the security of the websites of local travel agencies. We discovered that many of the websites have insufficient privacy protection when transmitting sensitive personally identifiable information (PII) including name and passport number. We demonstrated that it is possible for an attacker to steal sensitive information from users of these websites using a fake Wi-Fi.
During the test, we found that the website of Hong Thai Travel Agency did not use encryption when receiving orders from users. Information includes name, birthday, phone number and passport number are sent in plaintext. Fortunately, credit card information was handled by a third-party processor, so it is not affected by this problem. Alan Ho demonstrated how an attacker could steal information using a rogue Access Point (AP). When a victim connects to the fake AP, sensitive information that he enters in the travel agency website is readable by the attacker. He also demonstrated that how HTTPS encrypt the data and protect users’ privacy.
Furthermore, NOW TV reporters tested other travel agency websites using Qualys SSL Labs tool. It turns out that, although most of the websites use HTTPS, many of them were using legacy TLS protocol which is vulnerable to different kinds of attacks.
Anthony Lai talked about the necessity of using SSL in the websites which handle sensitive information, then explained the findings of SSL Labs results like the problem of insecure key exchange. Moreover, Anthony Lai pointed out that the current regulations are not sufficient to protect users’ privacy today. There is no penalty even if the negligence of a company causes the loss of a large number of customers data. It is a good chance to review the privacy protection regulations in Hong Kong.
All website security issues found were reported to the affected companies. The problems are fixed or mitigated before the news program was broadcasted.
Source: Now TV:【新聞極客】旅遊網站存保安漏洞 個人資料或外洩
Did you enjoy this post? Want to find out more about us? Contact us