A BuzzFeed intern and NYU senior recently claimed to have hacked Delta's paperless boarding pass system by changing just one digit in a URL. "On Delta, you can change the URL of your boarding pass and get someone else's boarding pass," Dani Grant wrote in a Medium post. "Even if they're on a different airline." This seems crazy.
Could Delta's cyber security really be so shitty that tweaking a URL would give you access to someone else's boarding pass? Update: Yes, it is. Delta confirmed a vulnerability in a statement.
"After a possible issue with our mobile boarding passes was discovered late Monday, our IT teams quickly put a solution in place this morning to prevent it from occurring," Delta spokesperson Paul Skrbec said. "As our overall investigation of this issue continues, there has been no impact to flight safety, and at this time we are not aware of any compromised customer accounts." The airline added, "We apologize for any concern this may have caused."
We also contacted Grant for more details, and she sent over two URLs. The first was apparently used on a November 6 flight between Los Angeles and San Francisco. Grant said she changed a single digit in the URL and saw someone else's boarding pass for a different flight. It takes a little bit of brute force, though. "It's luck of numbers," Grant said in an email. "Not every URL string corresponds to a valid boarding pass—if you keep changing digits you'll find one."
We tried the same thing—dozens of times—and it didn't work. BuzzFeed and Mashable say they successfully replicated the hack, although all of the screenshots are the same as the ones Grant included in her original post. It's worth noting that all of these screenshots show boarding passes that are between one week and two months old. When pressed about the example that she gave Gizmodo, the college student said that the URL "seems to have expired."
It's also possible that Delta fixed the vulnerability when it was first reported. (Update: Delta did just that.) Grant acknowledged as much. "Another explanation is that URLs are set to expire after a set time, or have some sort of rate limiting—they expire if too many people are clicking on them," she said. Plus, who knows if the trick will work on unused boarding passes.
For now, it's probably safe to say that something is amiss with Delta's online boarding passes. Delta did send Grant a response—see below—when she reported the issue to the airline, though it took them a few more hours to confirm that the vulnerability had been patched. Nevertheless, don't go sharing your boarding pass URLs with everyone this holiday season. That's actually probably a good rule, no matter what.