Canadian Flair Airlines left credentials to sensitive databases and email addresses open for at least seven months, the Cybernews research team has discovered. This increases the risk of passengers’ personal information, such as emails, names, or addresses, ending up in the wrong hands.
The leak consisted of publicly accessible environment files hosted on the flyflair.com website. Flyflair.com belongs to the Canadian ultra-low-cost carrier Flair Airlines, founded in 2005. According to SimilarWeb, the website attracts 3.2 million monthly visitors.
Environment files are commonly used in software development to manage environment-specific settings or sensitive information such as API keys and database credentials. Web development 101, or an essential requirement, is to keep crucial .env files secure, as they often contain sensitive information that could be used to compromise services or applications.
In this case, the public .env files revealed:
- MySQL database credentials and location for the local database
- MySQL database credentials and location for the remote, internet-connected database
- SMTP configuration, including credentials and secret tokens, for the [email protected] and g[email protected] emails.
- Laravel App key (popular open-source PHP web framework)
“The publicly hosted .env files contained database and email configuration details. Database configurations revealed that one of the databases was exposed to the internet, meaning anyone could potentially use these credentials to access sensitive information stored in this database,” Cybernews researchers claim.
While the exact amount of data or the full contents of the exposed databases are unknown, at least one subdomain for booking group travel at a time was collecting private user information, which included:
- First and last name
- Phone number
- Flight details (destinations, dates, flight numbers, etc.)
From the outside, it’s impossible to determine if any malicious actors took advantage of the leak. However, public .env files were first observed and indexed in August 2022, meaning that they were accessible for nearly seven months.
The Cybernews research team discovered the leak on February 27th, 2023. Security disclosure was first reported in March. It took a few months of follow-up notifications, including to the Canadian Computer Emergency Response Team (CERT), until the vulnerability was resolved.
Cybernews contacted Flair for a comment, but the company has yet to respond to the inquiry.
Leak provides several attack vectors and can be dangerous
Criminals usually exploit leaked data in bulk, sometimes combined with other leaks, due to specialization in different criminal endeavors. The compromised Flair data could provide at least a few possible attack vectors.
“Leaks like this can often be a starting point for cybercriminals. Firstly, to research what information their target could store, what technologies and security measures they are using. Second, personal information could be used for phishing, identity thefts and other attacks, targeting individuals,” our researchers said.
In this case, the publicly hosted database means that malicious actors could have accessed user information without the need to exploit any vulnerabilities. Attackers could log in, read, and copy the contents or, if user privileges allow, modify or delete the data.
“Leaked email credentials would allow an attacker to log in and send emails from compromised addresses. This is dangerous as it could be used to launch phishing attacks from official Flair Airlines email addresses and trick receivers into clicking malicious links or following other instructions.”
Aviation companies possess a treasure trove of information for black hats, as criminals often seek ways to exploit sensitive personal information, especially passports, for financial gain.
Access to information could also serve as a foothold for criminals to plan more sophisticated attacks.
The Cybernews Research team recommends that Flair or any company immediately reset leaked keys and credentials once the vulnerabilities are exposed, protect customer information, and consider moving exposed infrastructure to new hosts.
For users – caution advised
Customers of Flair Airlines should consider the information that Flair Airlines collects, which could have been accessible due to this leak.
A malicious actor could use names in conjunction with addresses, emails, and phone numbers to commit identity theft, creating accounts on the person's behalf without their consent.
Email addresses can be used for phishing and spam.
“Since passwords also could have been exposed, attackers could try to compromise the email address or the accounts associated with that email via credential stuffing attacks. Users should set up 2FA on their email as well as other accounts. They should also avoid clicking links in their emails or even opening suspicious emails. They can also consider changing their email address or making multiple email addresses for different purposes (one for retail accounts, one for social media accounts, etc.),” Cybernews researchers suggest.
Users should always be vigilant when seeing their names in unsolicited communications and monitor their email and credit score to ensure no new accounts have been opened using their information.
More from Cybernews:
Subscribe to our newsletter