How to report a glaring security hole in BA.com ?
#1
Original Poster
Join Date: Mar 2016
Location: Glasgow, UK
Programs: Seigneur des Tarifs Utils First Class Mucci with Honours :) - BA GGL / CCR
Posts: 1,551
How do I report a glaring security hole in BA.com | ?
Hi,
As a career one of the things I am responsible for is IT Security.
I have found a security issue on the website which exposes the users password and email address and for obvious reasons I will not post it on FT or to anyone other than the appropriate person at BA.
Having looked through the website and to a pile of other contact us pages there is no contact for the web team / security team,
Does anyone know a way of reporting this correctly?
As a career one of the things I am responsible for is IT Security.
I have found a security issue on the website which exposes the users password and email address and for obvious reasons I will not post it on FT or to anyone other than the appropriate person at BA.
Having looked through the website and to a pile of other contact us pages there is no contact for the web team / security team,
Does anyone know a way of reporting this correctly?
Last edited by cgtechuk; May 31, 2018 at 5:39 am
#2
Join Date: Sep 2017
Location: London
Programs: BAEC Gold
Posts: 52
Hey,
I don't have an answer, more a concern. What's their method of storing passwords? (clear, hash, hash+salt) ?
I don't have an answer, more a concern. What's their method of storing passwords? (clear, hash, hash+salt) ?
#3
Ambassador, British Airways Executive Club
Join Date: Feb 2008
Location: UK
Posts: 10,153
There was the ba.com official as a user handle company rep on here but they have not logged in since 28th Feb but as I understand it they do monitor the ba.com glitches thread on here.
Perhaps PM BA Executive Club on here and they can forward your concerns?
Perhaps PM BA Executive Club on here and they can forward your concerns?
#4
Join Date: Aug 2015
Location: London
Programs: BA
Posts: 240
Best thing is to raise a direct message on twitter or contact the executive club via the phone. They have channels to contact asset protection and the duty security manager.
#5
Join Date: Dec 2009
Location: Flatland
Programs: AA Lifetime Gold 1MM, BA Gold, UA Peon
Posts: 6,111
Do tell us if BA are as rewarding as United:
https://www.theregister.co.uk/2016/0...ion_air_miles/
(the downside, in this case, is that it was United miles )
https://www.theregister.co.uk/2016/0...ion_air_miles/
A teenage hacker from the Netherlands has received a million airline miles for finding 20 bugs in the travel business' code base.
... The company has paid out millions in air miles already.
... The company has paid out millions in air miles already.
#6
Suspended
Join Date: Mar 2002
Location: Canada, USA, Europe
Programs: UA 1K
Posts: 31,452
Why does this not surprise me at all?
#7
Original Poster
Join Date: Mar 2016
Location: Glasgow, UK
Programs: Seigneur des Tarifs Utils First Class Mucci with Honours :) - BA GGL / CCR
Posts: 1,551
I have sent a message to the BA Exec Club PM here, I cant use Twitter at the moment as I am at work,
Thanks
Thanks
#8
Join Date: Jul 2014
Programs: Mucci de l'Arbitrage
Posts: 927
Once they have fixed it it would be great if you report back what it was, out of interest.
#9
Join Date: Jul 2005
Location: London, ARN, HEL, ..... or MAN
Programs: BA GGL / GFL, Mucci Diamond!, HH Diamond, Radisson Premium, IHG Gold, Hertz Gold
Posts: 5,900
Other route might be through app feedback on the BA App.
I know that they read the feedback daily - they're a separate team from the ba.com team but clearly will know who to talk to in the web team to get the ball rolling?
I know that they read the feedback daily - they're a separate team from the ba.com team but clearly will know who to talk to in the web team to get the ball rolling?
#10
Original Poster
Join Date: Mar 2016
Location: Glasgow, UK
Programs: Seigneur des Tarifs Utils First Class Mucci with Honours :) - BA GGL / CCR
Posts: 1,551
I did think about this but it's unique to the website not the app which I figured would be a different team,
#11
Join Date: May 2012
Location: London, UK
Programs: BA Gold, Hotels.com Gold
Posts: 390
Hi,
As a career one of the things I am responsible for is IT Security.
I have found a security issue on the website which exposes the users password and email address and for obvious reasons I will not post it on FT or to anyone other than the appropriate person at BA.
Having looked through the website and to a pile of other contact us pages there is no contact for the web team / security team,
Does anyone know a way of reporting this correctly?
As a career one of the things I am responsible for is IT Security.
I have found a security issue on the website which exposes the users password and email address and for obvious reasons I will not post it on FT or to anyone other than the appropriate person at BA.
Having looked through the website and to a pile of other contact us pages there is no contact for the web team / security team,
Does anyone know a way of reporting this correctly?
If it is to do with user e-mails could you approach their Data Protection Officer? Under the shiny new GDPR legislation this should make them jump pretty quickly as them going astray would be a serious breach under something which is very much of interest right now.
[email protected] per the bottom twisty thing of https://www.britishairways.com/en-gb...privacy-policy
#12
Report it to the Data Protection Officer for BA. Once your email is received GDPR enters into action so assuming BA is on top of things, then looking for a resolution should be quick.
#13
Join Date: Jun 2002
Location: Kent, UK
Programs: BA Gold; Turkish Miles&SmilesElite;; Freccia Alata Plus; Amex Platinum; SPG Gold; Marriott Gold Elit
Posts: 276
From Linkedin: Mike Grenham
Group IT Security manager at International Airlines Group (IAG)
Reading, United Kingdom
He is connected to a few people that I am involved with on cyber security, so he's perhaps someone to try and contact, perhaps via a Linkedin message.
Group IT Security manager at International Airlines Group (IAG)
Reading, United Kingdom
He is connected to a few people that I am involved with on cyber security, so he's perhaps someone to try and contact, perhaps via a Linkedin message.
#14
Join Date: Apr 2014
Programs: BA Exec Club Gold, Hilton Diamond, IHG Platinum, Marriott Bonvoy Platinum
Posts: 214
I once reported a data protection breach involving a senior BA official’s personal details
I just contacted the contact centre, explained the issue in detail and explained that they needed to alert corporate security immediately.
They took it it very seriously and there was instant action.
I just contacted the contact centre, explained the issue in detail and explained that they needed to alert corporate security immediately.
They took it it very seriously and there was instant action.
#15
Join Date: Nov 2016
Location: London
Programs: BAEC Gold, *A Silver
Posts: 51
Bug bounty is 500 Avios as a good will gesture. Please do disclose after normal timings - curious to hear. I can only just about book flights through their abomination of a web site, the thought of pen testing it makes me shiver.