A bug in United Airlines’ website let anyone access the ticket information for travelers who requested a refund.
The airline’s website lets users check their refund status by entering their ticket number and last name. But the website wasn’t validating the last name, making it possible to access other travelers’ refund information by changing the ticket number.
IT security expert Oliver Linow, who found the bug, told TechCrunch that he could see traveler surnames, the payment type and currency used to buy the ticket, and the refund amount.
United, like most other airlines, lets passengers access and modify their upcoming flights using only a passenger’s ticket number and last name.
Linow reported the issue to United on July 6. It took the airline a month to fix. But Linow did not hear back again from the airline.
It’s not known for how long the bug was present….