Man hacked airline Web site to locate his lost luggage after customer service was unhelpful

Originally published at: Man hacked airline Web site to locate his lost luggage after customer service was unhelpful | Boing Boing


found it northern lights GIF by LEGO


I haven’t read the twitter thread or anything beyond what’s in the BB post, but this doesn’t really sound like the site was hacked. Seems the person just probed for additional info by popping the hood of the website (so to speak). The site was misconfigured in that some info wasn’t encrypted, which was exactly what our hero needed to get to the objective. Good job, Nandan Kumar!


Beat me to it while I looked this up:


I get where the airline is coming from - at least where I live, privacy law would definitely prevent the airline from releasing the personal details of another passenger, even in this situation. And I expect most people want it that way, even if its annoying in situations like this.

But having said they’d get in touch with the other passenger, the airline needed to go ahead and actually do that, ASAP.

(Yes, I’m ignoring the information security concerns because I’m sure those points will be well covered).


Completely being a pedantic web developer/backend guy here… “Encrypting” the phone number isn’t the fix. You can’t really “encrypt” data in the web browser if it is meant to be viewed at some point (esoteric and unnecessary javascript hoop jumping excluded). The backend should never have INCLUDED that information in the web page source code.

The proper place to “validate” permissions is on the backend, NEVER on the front-end. By then, it’s too late.


I do not think you know what those words mean.


Every time I’ve flown (more than 2 years ago, of course), the airline’s tag on my bag included my name. This states that the tag showed the PNR but not the name. I’m confused… maybe name is optional for podunk airlines?

1 Like

Don’t travel to Missouri then. You are likely to be arrested by the State Police. HACKER! /sarcasm

1 Like

Doesnt really count as hacking, the info was unencrypted.


Well, they are completely something with 4 of those 6 letters in. (-bust-)

1 Like

You left off the photo. :wink:



yes yes, but that actual quote was a little different

“You keep using that word, I do not think it means what you think it means”

But he pressed F12! That’s even more 7eet than right-click, view source!


kung fury GIF

1 Like

Wait, is this a repeat of Parson vs. Renaud?

(For those with short memories, Missouri governor Parsons accused St. Louis Post-Dispatch reporter Josh Renaud of “hacking” a publicly accessible website when Renaud basically did “view source” and found phone numbers and more leaked publicly, notified the site, and waited until it was fixed to report the story.)

Yes, except in one case the person was accused of hacking when they were not, whereas in the other case a person claimed to be hacking (“low key hacking!”) when they were not.

This topic was automatically closed after 5 days. New replies are no longer allowed.