This is a story of how I exploited local travel companies’ IT systems to score free airline tickets, bus passes and ferry rides. It all started out with an accidental discovery of a bug in an airline’s booking system and just spiraled from there.
Disclaimer: All the bugs were discovered, verified, and reported. Any issued tickets were canceled and not used.
Part One: The Plane
The accidental discovery was a few years ago, my first foray into travel hacking. I was browsing the Wow Air (RIP) website and noticed that when I selected a package holiday, there was an added “booking fee” of ISK 1000, with a preselected checkbox I couldn’t un-check. Summoning my leet hacking skills, I opened the browser dev tools and removed the disabled attribute from the form element. To my surprise, the total price was lowered by ISK 1000!
(dramatization of real events)
That got me curious and I started digging around. Next thing I saw was adding bags cost extra. Quite a lot extra! Too much, I thought, and checked the HTML again. Interestingly, the bag surcharge was there in a data-price attribute. I found that by changing the amount to a negative value, I could bring along a few bags and get a discount on the total fare. Pretty sweet!
Going on a holiday is costly, and even if I managed to reduce the cost of the package holiday to zero, I would still need to budget for expenses such as food, drinks, and SPF50 sunscreen for my pale Icelandic skin. So I tried to set the price of a piece of luggage to a large negative amount and I got my trip along with a nice amount deposited to my credit card! Awesome - here I come [checks notes] Warsaw! But surely I was just manipulating the local state - this was just the price on my screen changing and the full amount would show up when checking out, right? As it turned out, it wasn’t and I could complete the process with my preferred price.
When I notified the company about this flaw, they responded by shipping a “fix” which removed the disabled checkbox entirely, and changed the data- elements in the markup. However, this was only obfuscation and didn’t address the real issue. Executing the attack was still straightforward, by injecting JavaScript to override the postback handling function.
Why did it break?
Wow Air made the frontend responsible for calculating the price and blindly trusted the result on the backend.
Part Two: The Automobile
Since I had set out on this journey of petty crime, I shifted my focus to the local bus company’s god-awful mobile app, which I used daily to purchase tickets. The ticket verification was very simplistic - you pressed a button in the app which turned on the front camera with a graphic overlay and showed that to the driver. The driver eyeballed the screen, checked the ticket was activated, and let you onto the bus.
Activated bus ticket (left) and visual verification (right)
A visual inspection like this can easily be spoofed. Creating an app which mimicked the verification screen couldn’t be too much work. However, I’m severely GUI-challenged, so it was easier to whip out mitmproxy to spoof the backend. I rigged my phone up to an intercepting proxy and captured the app’s traffic. There was no obfuscation to deal with, no certificate pinning, etc. I coded some rules to autorespond to the app, telling it I had 999 valid tickets, and scored free bus rides! At least until the bus company replaced the app with an updated version that’s even worse somehow, and almost never works even with genuine tickets. By that time I was working from home and no longer taking the bus anyway.
Infinite bus tickets
Why did it break?
The bus app had a fundamental design flaw by relying on visual verification of tickets.
Part Three: The Ferry
It was at this point I recalled an old favorite movie, Planes, Trains and Automobiles, and I thought that would be a pretty cool title for an article detailing my exploits. But there was a problem - there are no trains in Iceland - not even trams or a metro. I dejectedly turned to the best alternative, ferries!
It took literally 20 minutes to check out the two major ferry routes, find an interesting target in one of them, manipulating the input parameters in the booking engine and scoring a free ticket by masquerading as a tour guide.
Intercepted HTTP request with the hidden fare type injected (left) and free tour guide ticket (right)
Why did it break?
Another case of doing too much work on the frontend without validation on the backend. The ferry booking engine exposed uneccessary internal details, including hidden fare types.
Wild Speculation Corner
All the hacks here were pretty easy. They didn’t require me to apply any real hacking skills, and mostly could be done with just the browser dev tools.
But why was it so easy to pull off? I didn’t do tons of research to dig out a few good targets. The good targets were all over the place! In fact, I found several more, just from the domestic travel sector. What I wrote up here was only the tip of the iceberg - the others were similar to these, or just not as interesting. (The time I bypassed ticket purchase limits for an event booking system with the advanced Alt + Left arrow attack didn’t make the cut).
All the bugs here are design flaws. These bugs aren’t detected by an automatic web security scanner. Software composition analysis or vulnerability management tools don’t flag them. Identifying them requires someone with a fundamental understanding of security looking at the internals. And it seems no-one is looking.
Photo credit: Bátur Waterfall, Dalsá, Iceland. Own photo.