Potential Privacy Vulnerability in Revamped AA.com

Scion · Nov 15, 10, 2:08 pm

I just had a disturbing phone call.

Another person who works in my same company called to report that while attempting to log in to the new AA.com, and after entering his username and password, he was presented with details of MY account ... and evidently was able to navigate around, view details, and might, had he been so inclined, have been able to book tickets, use miles for other purposes, or who knows what.

I have never met this person [let's call him Mr. X], and he works in a different city from me. Insofar as I know, we have never used the same computer for any purpose at any time.

After this experience, Mr. X called AA, who told him repeatedly that the problem must be at his/our end ... presumbly with our comany's Internet cache servers/firewall. They suggested that he determine whether the person whose account he was viewing worked for the same company. That turned out to be the case, he phoned me, I phoned the EP desk, and that's where we stand.

This problem, if it is widespread, clearly represents a significant risk. Since I see no obvious reason to believe that my company's infrastructure is unique in this regard, I suspect other users may be similarly vulnerable. Since the emergence of this problem coincides with the rollout of the new AA.com, it is difficult to imagine the two are not connected.

TheDudeAbides · Nov 15, 10, 2:42 pm

Interesting. Had you been on AA.com earlier in the day, and if so, did you logout when you were finished?

metzby · Nov 15, 10, 3:29 pm

Yup; sounds to me like a proxy issue.

Your company shares an internet connection for all of you. They have a box that sits on the internet connection and tries to save money by sharing pages that it's already seen. In this case, the "my profile" page is being shared. But obviously, it shouldn't be.

The rules around this are complex and sometimes not fully-baked. So at least one of AA and your company's proxy is in the wrong.

wbl-mn-flyer · Nov 15, 10, 4:13 pm

Please send a letter to AA about this issue.

The person you talked to on the phone may have marked the issue as "solved" and there could be no further follow-up, based on your report of that conversation.

It sounds like there is a big technical problem, which their Web and Privacy folks need to look at.

_kurt · Nov 15, 10, 6:13 pm

Normally a proxy server would not cache SSL pages. Was all your access to the site via https? Unless your company has tinkered with the trusted certificates on your PC, the proxy server can't touch an SSL session without you seeing a certificate warning.

redrock · Nov 16, 10, 7:46 am

Quote:

Originally Posted by _kurt

Normally a proxy server would not cache SSL pages. Was all your access to the site via https? Unless your company has tinkered with the trusted certificates on your PC, the proxy server can't touch an SSL session without you seeing a certificate warning.

I think this may be the issue. Its possible the new site may have misconfigured the https/certificate settings. I seems like they are using frames in the site and the guts are very similar to the old system. So it could be an issue with the new site and interaction between (http) and (https) pages/links. I think maybe a call to web services might get the quickest real response on the issue. I am pretty sure there is some sort of tiger team web support queue with the launch of the new site.

mingw · Nov 16, 10, 8:35 am

if the proxy server is the cause, it means the proxy caches cookie AND caches HTTPS. plus, properly written pages with login info would have no-cache or no-store in headers.

unless the server has been hacked to do this on purpose, it's highly unlikely to happen.

I would bet it's 100% aa.com problem. a simple bug setting or getting wrong cookie value would make this happen.

Scion · Nov 16, 10, 8:42 am

In answer to the question, YES, I had been on the site earlier in the day ... wanted to have a look at the 'new' website. I don't honestly recall if I logged out after that, but it's at least a possibility that I did not.

I kinda thought perhaps somebody from AA would have called back with additional queries or to report that they had identified and resolved the vulnerability ... but have heard not a peep (though I'm on the road, so if they called my home, they may have left a message).

RB211 · Nov 19, 10, 11:21 pm

I experienced this about a decade ago with the old AA.com. It was a proxy issue back then and the company soon fixed it. Not an AA.com issue. This sounds exactly the same.

rb211.

formeraa · Nov 20, 10, 8:34 am

To the OP --

I would notify your company IT department about this problem. It sounds like an INTERNAL problem as has been outlined above. I strongly suggest calling your company's help desk to report the issue.

Meanwhile, always LOG OUT of everything -- even if you're at home!