Swap a few letters on the URL to access your next mobile boarding pass and you might end up in a better seat, on a different flight or with a new airline.
Grant reported it is possible to access another flyer’s boarding pass on the same airline as well as switch airlines altogether. Delta Air Lines and Southwest Airlines were the two airlines found susceptible to URL tinkering.
Skift spoke with representatives of Delta and Southwest, both of whom say they have addressed and fixed the issue since becoming aware of it late Monday night.
“After a possible issue with our mobile boarding passes was discovered late Monday, our IT teams quickly put a solution in place this morning to prevent it from occurring,” says Delta spokesperson Paul Skrbec.
“As our overall investigation of this issue continues, there has been no impact to flight safety, and at this time we are not aware of any compromised customer accounts.”
A Southwest spokesperson echoed the sentiment. However, neither airline could confirm that this flaw hasn’t been used to board a plane in the past.
“As soon as we became aware of the issue we contacted the vendor that powers the mobile boarding functionality to quickly resolve the situation. Upon notification the issue was immediately eliminated and we do not have reports of Southwest customers being impacted,” a statement from the airline read.
“We will continue to monitor the event and are currently engaged in conversation with our vendor.”
A JetBlue spokesperson said the airline was not impacted by the security flaw that impacted Delta and Southwest.
“Our URLs are not susceptible as we have unique URLS that requires multiple aligned strings of data,” she says.