Lufthansa data leak: What a single URL can reveal about you
There is a little-known but widespread privacy and security problem: telltale URLs. They allow third parties access to information that customers provide during online transactions. This often includes personally identifiable information (PII) such as name, address, phone number, email address, credit card information, travel plans or even passport number.
Filling in online forms with our personal information is part of our daily transactions with companies. When you order food, buy concert tickets or book a flight online, you will usually receive an email confirmation with a unique URL that, when clicked, takes you directly to an order/booking details page, with no need to log back into the site. On this page you can check your order again, make changes or cancel a booking. This is convenient but sometimes dangerous.
How third parties can access personal booking data
Of course, you assume that the information on the order/booking details page can only be accessed by yourself. However, this data can be viewed by anyone who has access to the web address of this page. The URLs, linked in confirmation emails, often contain specific strings that are used as a unique identifier. Whoever gets access to these unique URLs can simply open them (be it manually or using bots) and see, extract and even change or delete the personal information you provided as a part of your online transaction.
The Lufthansa booking details page contains contact data such as name, email address and phone number.
Customers of Lufthansa, Emirates, FedEx, Foodora and JustFly affected
We already discussed at length how careless some companies are when it comes to your data and your privacy. Another example in this case is Lufthansa. The link in their usual confirmation email leads to a booking details page where passenger data including visa information and passport numbers can be changed, all of which are stored in plain text. In addition, all payments you made during the transaction can be viewed and your receipt can be downloaded. It is also possible to print your itinerary. As already mentioned, all this works without having to log into the Lufthansa website again – one click on the unique URL is enough!
Even passport data can be viewed or changed on the Lufthansa booking details page without authentication.
Local Sheriff chases down the bad guys
Most of the time, neither the e-commerce companies nor their customers are aware of the potential privacy leaks caused by telltale URLs. To show and educate the users about the extent of privacy leaks, Cliqz has developed the experimental browser extension Local Sheriff, which was recently presented at the Defcon Demo Labs in Las Vegas (For more details, see this Threatpost article). Think of Local Sheriff as a reconnaissance tool in your browser for gathering information about what tracking companies know about you.
Local Sheriff reveals which websites share/leak which data points to which third parties in form of telltale URLs.