Canadian Airline Screws Up, Leaving User Data Leaking for Months

This post is also available in: עברית (Hebrew)

Canadian Flair Airlines has left credentials to sensitive databases and email addresses open for at least seven months, increasing the risk of passengers’ personal information, like emails, names, or addresses, ending up in the wrong hands.

According to Cybernews, the leak consisted of publicly accessible environment files on the flyflair.com website. Environment files are commonly used in software development to manage environment-specific settings or sensitive information (like API keys and database credentials).

An essential requirement in web development is to keep crucial .env files secure because they often contain sensitive information that could be used to compromise services or applications.

Cybernews researchers explain: “The publicly hosted .env files contained database and email configuration details. Database configurations revealed that one of the databases was exposed to the internet, meaning anyone could potentially use these credentials to access sensitive information stored in this database.”

The exact amount and full contents of the exposed databases are currently unknown, but at least one subdomain was collecting private user information (which includes names, email addresses, phone numbers, flight details, address, gender, date of birth, etc.).

It is currently impossible to know if any malicious actors took advantage of the leak, but the public .env files were first observed in August 2022, meaning that they were accessible for nearly seven months. The Cybernews research team discovered the leak at the beginning of 2023, and it reportedly took a few months of follow-up notifications until the vulnerability was resolved.

“Leaks like this can often be a starting point for cybercriminals. Firstly, to research what information their target could store, what technologies and security measures they are using. Second, personal information could be used for phishing, identity thefts and other attacks, targeting individuals,” the Cybernews researchers explained.

In this case, the database was hosted publicly, meaning that malicious actors could have accessed user information without exploiting any vulnerabilities.

Access to email credentials would allow an attacker to log in and send emails from compromised addresses, which is dangerous as it could be used to launch phishing attacks from official Flair Airlines email addresses, easily tricking victims into trusting them.

Furthermore, a malicious actor could use names in conjunction with addresses, emails, and phone numbers to commit identity theft, creating accounts on the person’s behalf without their consent.