Configuration Error Leads to Akasa Air Data Exposure

Travel, Payment Info Not Compromised; Users at Risk of Phishing Attacks
Configuration Error Leads to Akasa Air Data Exposure
Image: Akasa Air

Akasa Air began its first month of commercial operations with a data breach incident, telling customers a configuration error in its website put customers of the new Indian airline at risk of phishing attacks.

The no-frills carrier says it received a report last Thursday that unauthorized individuals may have been able to access user information including name, gender, email address and phone number. Other data such as payment cards details and travel records were not exposed, the airline says.

See Also: Securing Industry 4.0: Cyber Risk in Smart Operations

The configuration error was related to the passenger airline's login and sign-up service on the customer registration page.

Akasa Air did not respond to Information Security Media Group's request for details on the impact of the incident. The carrier began service between Mumbai and Ahmedabad with an inaugural flight earlier this month. The company says it intends to grow to 72 aircraft over the next two to five years despite the death this month of major financial backer Rakesh Jhunjhunwala, an Indian billionaire who held a 46% ownership stake in the nascent airliner. TechCrunch reports the breach exposed 34,533 unique customer records.

The airline says its login and sign-up services now have additional security controls. The company says it reported the incident to the Indian Computer Emergency Response Team.

No Evidence of Hack

Akasa Air says it's unlikely that a threat actor exfiltrated the exposed data and it addressed the unauthorized access by shutting down associated functional elements on its system.

Indian security researcher Ashutosh Barot, who takes credit for reporting the configuration error to the airline, tells Information Security Media Group that he agrees. It's likely that the bug was "not found/exploited by threat actors," he says.

Barot says he found the bug during routine research. "I was exploring domains, subdomains and internet-facing IT infrastructure of Akasa Air, when I came across the registration page where users were required to create a profile by entering their name, phone number and email address. I was able to find a vulnerability on this page in a few minutes," he says.

Barot created a personal profile and looked for his personal information on Burp Responses, a tool that helps with web application security testing. "I found an HTTP request which gave my name, email, phone number, gender, etc. in JSON format. I immediately changed some parameters in request and I was able to see other user's PII [too], Barot says in a blog post.

He sent a direct message to Akasa Air on Twitter, asking if he could email his findings to the generic email ID info@akasaair.com. Hesitant to share the vulnerability details as "generic emails are handled by customer support staff which are possibly third-party vendors," Barot contacted a journalist, who put him in touch with Akasa Air's security team.

The airline fixed the issue in two weeks, Barot tells ISMG.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.