SWA's horrible website security
Jun 20, 2011, 12:05 am
#1
Original Poster
Join Date: Dec 2005
Posts: 284
SWA's horrible website security
I have always wondered why Southwest website is only encrypted on the final purchase page. None of the login pages for Rapid Rewards uses SSH. Even SWABIZ does not use SSH. When I try to force it to https, the website redirects me back to http. That means all your login, personal info, and RR account are communicated in plain text.
Compare this with the other airlines. AA has encryption everywhere. You can even encrypt your flight searches. I'm not saying that SWA needs to take it that far, but it would seem obvious that your RR account info should be encrypted.
I find it disturbing that SWA treats security as a joke. SWA is inviting trouble by being worse than Sony. You just need basic skills to capture people's login info. Sit in an airport with a wireless packet sniffer and log people's unencrypted login info. Then do what you may with the victims' account.
SWA's point of view on this? It's all the customers' fault.
Is my password secure?
* Your password is unique to your account and is designed to protect your account from unauthorized use.
* Southwest Airlines® is not responsible for any lost, stolen, or otherwise disclosed passwords.
* Additionally, Southwest will not replace flight credits, partner credits, or program awards that are generated or redeemed by unauthorized password activity.
* Accordingly, your password should be guarded and not provided to anyone.
Compare this with the other airlines. AA has encryption everywhere. You can even encrypt your flight searches. I'm not saying that SWA needs to take it that far, but it would seem obvious that your RR account info should be encrypted.
I find it disturbing that SWA treats security as a joke. SWA is inviting trouble by being worse than Sony. You just need basic skills to capture people's login info. Sit in an airport with a wireless packet sniffer and log people's unencrypted login info. Then do what you may with the victims' account.
SWA's point of view on this? It's all the customers' fault.
Is my password secure?
* Your password is unique to your account and is designed to protect your account from unauthorized use.
* Southwest Airlines® is not responsible for any lost, stolen, or otherwise disclosed passwords.
* Additionally, Southwest will not replace flight credits, partner credits, or program awards that are generated or redeemed by unauthorized password activity.
* Accordingly, your password should be guarded and not provided to anyone.
Jun 20, 2011, 1:19 am
#2
Join Date: Nov 2006
Programs: AA PLT/2MM, SWA A+, SPG Titanium, Avis Chairman
Posts: 1,024
I'm going to assume from the couple of technical missteps in your post that you are not a web expert. You might not want to yell that the sky is falling without actual technical facts to back it up.
1. I assume you mean SSL, not SSH. SSH is not a protocol used in websites, but in remote access to systems via a command line.
2. Their website does in fact use SSL for at least the login processing. I did a quick capture to confirm that my credentials are not sent in plain text during the login process, but you could also confirm that by right-clicking on the page, and looking for this line:
That is showing that the login form is submitted using SSL. It is possible the rest of your traffic is using non-SSL, but your username/password should not be.
This in no way certifies their website is safe. There are many attacks that can be done on open hotspots that they may be vulnerable to, but plain old sniffing does not appear to be one of them unless I am missing something.
1. I assume you mean SSL, not SSH. SSH is not a protocol used in websites, but in remote access to systems via a command line.
2. Their website does in fact use SSL for at least the login processing. I did a quick capture to confirm that my credentials are not sent in plain text during the login process, but you could also confirm that by right-clicking on the page, and looking for this line:
<form id="loyaltyLoginForm" action="https://www.southwest.com/flight/login?loginEntryPoint=RIGHT_NAV" method="POST">
This in no way certifies their website is safe. There are many attacks that can be done on open hotspots that they may be vulnerable to, but plain old sniffing does not appear to be one of them unless I am missing something.
Jun 20, 2011, 7:28 am
#3
Join Date: Nov 2010
Programs: AA EXP (owe), BA Silver (ows), AB Silver (owr), WN A+/CP, IHG Spire AMB, Avis First
Posts: 1,414
As with the above post, you might want to make sure you actually have the right background to make such shocking claims about security. I investigated with fiddler, and determined that username/password is transmitted over HTTPS (SSL) - not in plaintext (SSH?! that's funny... yes, it would be nice if I could access the southwest website over SSH, it'd make my life much easier!)
> POST /flight/login?loginEntryPoint=RIGHT_NAV HTTP/1.1
was done over HTTPS.
- the rest of the website is transmitted over HTTP, but the login is indeed HTTPS.
Now there are other security issues, such as being able to cancel a reservation with only a confirm # and name, but this is not one of them. In the future, please avoid making blanket claims without even having a clue about what you're talking about.
> POST /flight/login?loginEntryPoint=RIGHT_NAV HTTP/1.1
was done over HTTPS.
- the rest of the website is transmitted over HTTP, but the login is indeed HTTPS.
Now there are other security issues, such as being able to cancel a reservation with only a confirm # and name, but this is not one of them. In the future, please avoid making blanket claims without even having a clue about what you're talking about.
I'm going to assume from the couple of technical missteps in your post that you are not a web expert. You might not want to yell that the sky is falling without actual technical facts to back it up.
1. I assume you mean SSL, not SSH. SSH is not a protocol used in websites, but in remote access to systems via a command line.
2. Their website does in fact use SSL for at least the login processing. I did a quick capture to confirm that my credentials are not sent in plain text during the login process, but you could also confirm that by right-clicking on the page, and looking for this line:
That is showing that the login form is submitted using SSL. It is possible the rest of your traffic is using non-SSL, but your username/password should not be.
This in no way certifies their website is safe. There are many attacks that can be done on open hotspots that they may be vulnerable to, but plain old sniffing does not appear to be one of them unless I am missing something.
1. I assume you mean SSL, not SSH. SSH is not a protocol used in websites, but in remote access to systems via a command line.
2. Their website does in fact use SSL for at least the login processing. I did a quick capture to confirm that my credentials are not sent in plain text during the login process, but you could also confirm that by right-clicking on the page, and looking for this line:
That is showing that the login form is submitted using SSL. It is possible the rest of your traffic is using non-SSL, but your username/password should not be.
This in no way certifies their website is safe. There are many attacks that can be done on open hotspots that they may be vulnerable to, but plain old sniffing does not appear to be one of them unless I am missing something.
Jun 20, 2011, 10:34 am
#4
Original Poster
Join Date: Dec 2005
Posts: 284
Background: Business Traveler, not IT pro.
My mistakes in my previous post:
1) Typing SSH when I meant SSL.
2) Relying only on HTTP in the address bar, and not checking my login with fiddler. I confirmed that the initial login for southwest.com is using SSL.
My argument still applies:
1) Unless I'm doing something wrong (probably), I don't think SWABIZ.com POST are secure. Fiddler shows in plain text.
ss=0&disc=0%3A15%3A1308587220.336000%3A3292@7D074A FF2E50C35A9387B8FA9F1FF1E059724004&companyId=adfss adf&credential=dsfada&password=adsfdsafa&_remember Me=on&submit=Submit
2) It is bad design to put login pages in non-encrypted pages. MS has been warning against that since 2005. AMEX used to do the same (last year?) but their new website fixed that.
Critical Mistake #1: Non-HTTPS Login pages (even if submitting to a HTTPS page).
3) Encrypting only the login info is not enough. My personal information should be protected as well.
4) I wonder if Firesheep can be moded to work for Southwest.
My mistakes in my previous post:
1) Typing SSH when I meant SSL.
2) Relying only on HTTP in the address bar, and not checking my login with fiddler. I confirmed that the initial login for southwest.com is using SSL.
My argument still applies:
1) Unless I'm doing something wrong (probably), I don't think SWABIZ.com POST are secure. Fiddler shows in plain text.
ss=0&disc=0%3A15%3A1308587220.336000%3A3292@7D074A FF2E50C35A9387B8FA9F1FF1E059724004&companyId=adfss adf&credential=dsfada&password=adsfdsafa&_remember Me=on&submit=Submit
2) It is bad design to put login pages in non-encrypted pages. MS has been warning against that since 2005. AMEX used to do the same (last year?) but their new website fixed that.
Critical Mistake #1: Non-HTTPS Login pages (even if submitting to a HTTPS page).
3) Encrypting only the login info is not enough. My personal information should be protected as well.
4) I wonder if Firesheep can be moded to work for Southwest.
As with the above post, you might want to make sure you actually have the right background to make such shocking claims about security. I investigated with fiddler, and determined that username/password is transmitted over HTTPS (SSL) - not in plaintext (SSH?! that's funny... yes, it would be nice if I could access the southwest website over SSH, it'd make my life much easier!)
> POST /flight/login?loginEntryPoint=RIGHT_NAV HTTP/1.1
was done over HTTPS.
- the rest of the website is transmitted over HTTP, but the login is indeed HTTPS.
Now there are other security issues, such as being able to cancel a reservation with only a confirm # and name, but this is not one of them. In the future, please avoid making blanket claims without even having a clue about what you're talking about.
> POST /flight/login?loginEntryPoint=RIGHT_NAV HTTP/1.1
was done over HTTPS.
- the rest of the website is transmitted over HTTP, but the login is indeed HTTPS.
Now there are other security issues, such as being able to cancel a reservation with only a confirm # and name, but this is not one of them. In the future, please avoid making blanket claims without even having a clue about what you're talking about.
Jun 20, 2011, 11:38 am
#5
Moderator, Southwest Airlines and Choice Privileges
Join Date: Mar 2008
Location: Central Texas
Posts: 3,039
It is a relatively recent (though long intended) addition, but the Wiki FAQ does state:
On a side note, flyertalk.com does not offer log in over https. 
Very important to note: Due to security issues it is highly inadvisable to log in to MySouthwest over public WiFi, even though logging in to most bank sites is relatively safe!
Jun 20, 2011, 12:18 pm
#6
FlyerTalk Evangelist
Join Date: Jan 2005
Location: home = LAX
Posts: 25,934
Perhaps y'all are logging in the wrong way? 
I log in the "old-fashioned" way (ie, the only way that used to exist), because that's the page on which my browser remembers my login (from "Southwest Airlines Home Gate" days!).
To get to this page, go to the main Southwest page, wait for it to finish loading completely, then hover of the Rapid Rewards block on the right until a menu drops down from it, and select My Account from that menu. Voila, it takes you to:
https://www.southwest.com/flight/log...count/snapshot
Now, once you log in, it takes you back to an unsecured page for your aco.... overview. But if you click on My Preferences, it takes you once again to a secured page.
So stop logging in on the main page, and then see if there's any other pages left over that need to be secure that aren't. (I don't have any bookings to do so I'm not going to an exhaustive inventory of which pages are secure and which aren't, right now. That is left as a reader exercise.
)
I log in the "old-fashioned" way (ie, the only way that used to exist), because that's the page on which my browser remembers my login (from "Southwest Airlines Home Gate" days!).
To get to this page, go to the main Southwest page, wait for it to finish loading completely, then hover of the Rapid Rewards block on the right until a menu drops down from it, and select My Account from that menu. Voila, it takes you to:
https://www.southwest.com/flight/log...count/snapshot
Now, once you log in, it takes you back to an unsecured page for your aco.... overview. But if you click on My Preferences, it takes you once again to a secured page.
So stop logging in on the main page, and then see if there's any other pages left over that need to be secure that aren't. (I don't have any bookings to do so I'm not going to an exhaustive inventory of which pages are secure and which aren't, right now. That is left as a reader exercise.
)
Jun 20, 2011, 1:32 pm
#7
Moderator, Southwest Airlines and Choice Privileges
Join Date: Mar 2008
Location: Central Texas
Posts: 3,039
The issues go way beyond simply logging in over https. Google session sidejacking for more info. I haven't looked in detail at how SWA transmits cookie information, but I sure don't trust them to be encrypting cookies when the site hardly ever bothers to use https.
And guess what? On that unencrypted page, as well as probably every unencrypted MySouthwest page, your full name and your RR # are transmitted for any snoop to see, along with the PNR of your next reservation, if any.
Future itineraries, change itinerary, cancel itinerary, view itinerary, to name just a few off the type of my head. Plus all the ones that contain your name and RR account number, which as suggested above is probably every MySouthwest page.
Of course all Emailed confirmations are also transmitted insecurely, though I only view my confirmation Emails over https (in Gmail).
https://www.southwest.com/flight/log...count/snapshot
Now, once you log in, it takes you back to an unsecured page for your aco.... overview.
Now, once you log in, it takes you back to an unsecured page for your aco.... overview.
Of course all Emailed confirmations are also transmitted insecurely, though I only view my confirmation Emails over https (in Gmail).
Jun 21, 2011, 6:06 pm
#8
FlyerTalk Evangelist
Join Date: Jan 2005
Location: home = LAX
Posts: 25,934
(I have to mention this, because on AA flights that have GoGo Inflight wireless access, one of the free sites is AA.com, and I can use AA.com securely via https:. Even their main home landing page can be accessed via https://www.aa.com. Anyone wanna rename this thread "Yet another reason to fly AA instead of WN"?
)Nor is it therefore advisable to log in to MySouthwest while staying at hotel where you are earning Southwest points, since most of them have only "open" public WiFi too.