aa.com not encrypting customer transaction data

[InfoSec News <isn () c4i org>]

Fowarded from: "Jay D. Dyson" <jdyson () treachery net>

-----BEGIN PGP SIGNED MESSAGE-----

Courtesy of Bugtraq.

It would appear that American Airlines' security problems aren't the
exception...they're the rule.

- ---------- Forwarded message ----------
Date: Mon, 17 Sep 2001 10:39:06 -0700
From: Chris Fairbourne <chris.fairbourne () camsystems com>
To: "'bugtraq () securityfocus com'" <bugtraq () securityfocus com>
Subject: aa.com not encrypting customer transaction data

Looks like aa.com (American Airlines) is NOT encrypting customer data for
purchasing e-tickets.
Hopefully this isn't still the case by the time this posts.
This hold true for both Advantage login and non-members as well.
At no time did I get a redirect to an SSL server for my session.

Taking a peek at the "Passenger Details" page source, no where do you find
"https" or ":443", hmm.
Next I make a phony submission and low and behold this is what I grabbed:
" f o r m % C I _ C r e d i t C a r d T o U s e _ C a
 r d N u m b e r "   v a l u e = " 4 3 2 3 5 0 1 9 8 3 5 1 9 9 9 9 "

I've made serveral phone calls to aa.com and generated a few e-mail. 
I can't convince them I'm wrong, so I bring it to this forum.

 

Chris Fairbourne
pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x371E73BB 
fingerprint: 7AE3DCC82215697A0C3F61C4968FCFDB371E73BB 


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO6ZTXblDRyqRQ2a9AQG92QP/fEs4SbpOnrHL9v+souHFK5+Lt4pmHn4G
EtHF2G5s4oYaYVvJIS+QpuBw0DszoUXN6YI1kfZuDTkvBqsl2PkVsYuajy3qiCj0
yHeuXn35yAe/zK5HPwVGVmrBXN+6mSC69fTBskLHprAF5MZmDzZDJdgaasLZm9lu
SzbSIAAb+ro=
=yK2M
-----END PGP SIGNATURE-----



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.