更新：航空公司网站不在乎您的隐私：Emirates.com上的案例研究

by Konark Modi

通过Konark Modi

更新：航空公司网站不在乎您的隐私：Emirates.com上的案例研究 (Updated: Airline websites don’t care about your privacy: a case study on Emirates.com)

I asked my wife if it is alright if her Date of Birth is known to a stranger. Only if they send me a birthday gift, she joked. What about your passport number? She lowered the book she was reading. I now had her attention.

我问我的妻子是否可以让陌生人知道她的生日。 她只有开玩笑地给我送了生日礼物。 那你的护照号码呢？ 她放下了正在读的书。 我现在引起了她的注意。

Now imagine this, I said “You try to check-in for your flight online, and see the error message — This booking does not exist. You try again, this surely is a mistake. Nope, still the same error message. The call center person repeats the same words. This has to be a mistake! You check your email, and there it is — staring back at you — email confirmation of cancellation. But you are sure you didn’t do it.” Whodunnit?

现在想象一下，我说：“您尝试在线办理登机手续，然后看到错误消息-此预订不存在。 您再试一次，这肯定是一个错误。 不，仍然是相同的错误消息。 呼叫中心人员重复相同的单词。 这一定是一个错误！ 您检查您的电子邮件，然后在这里-盯着您-确认取消的电子邮件。 但是您确定您没有这样做。” 谁知道的？

This is not a far-fetched scenario from a Sci-fi book, this really happened.

从科幻书中来看，这不是一个牵强的场景， 这确实发生了 。

An organisation with a primary Digital Product that lacks even the basic data security practices is living in a utopian world where people leave their safe open and never expect a burglar to walk in.

一个拥有主要数字产品甚至根本没有基本数据安全实践的组织，现在生活在一个乌托邦式的世界中，人们无法放心地打开保险箱，从不期望有窃贼进入。

In the wake of full disclosure, sometime last year while booking travel for my family, I stumbled across a few data-security practices that, as a Data Security advocate, made me extremely worried. When I voiced my concerns to Emirates team, this conversation took place -

在全面披露信息之后，去年某个时候为家人预订旅行时，我偶然发现了一些数据安全实践，作为数据安全倡导者，这让我非常担心。 当我向阿联酋航空队表达我的担忧时，这场谈话发生了-

For a layman, when you book your flight through Emirates, Domestic or International, there are approximately 300 data points related to your booking.

对于外行，当您预订通过阿联酋航空，国内或国际航班时，大约有300个与预订有关的数据点 。

The moment you click on manage preferences to select a seat or meal for your trip or to Check-in to your flight, your Booking ID and Last name is passed on to approximately 14 different third-party trackers like Crazy egg, Boxever, Coremetrics, Google, and Facebook among others.

当您点击管理偏好设置以选择旅行的座位或餐点或办理登机手续时，您的预订ID和姓氏将传递给大约14种不同的第三方跟踪器，例如Crazy egg，Boxever，Coremetrics， Google和Facebook等。

细节 (Details)

After I completed the booking on Emirates, I received an e-mail confirmation titled: Booking Confirmation — Booking Number.

在阿联酋航空完成预订后，我收到了一封名为“预订确认-预订号”的电子邮件确认。

The body of the email contained Manage booking. I proceeded to select seats and meal by clicking on the Manage Booking button and reached the Manage Preference page. This was pretty straightforward.

电子邮件的正文包含“管理预订”。 我通过单击“管理预订”按钮来选择座位和餐食，然后进入“管理首选项”页面。 这非常简单。

While as a user, I saw the normal behaviour of clicking a link and reaching the landing page “Manage Preferences”, in the background a redirection chain took place.

作为用户，我看到了单击链接并进入登录页面“ Manage Preferences”的正常行为，但在后台发生了重定向链。

While Manage Booking link was supposed to be exclusive to me (the user and the website), this link was also shared with numerous third party trackers implemented by Emirates on their webpages.

尽管“管理预订”链接本应由我(用户和网站)独享，但该链接还与阿联酋航空在其网页上实施的众多第三方跟踪器共享。

The cherry on the cake was the HTTP link that leads to the Manage Preferences page. The insecureness of HTTP has been talked about over and over again, especially when it comes to maintaining the authenticity of the content and protection against interlopers. But in short, HTTP links are a Data Privacy nightmare. So, not only was Emirates passing on user information to the self-implemented third party trackers, but also allowing network adversaries to have access to the supposedly “Private” page.

蛋糕上的樱桃是通往“管理首选项”页面的HTTP链接。 HTTP的不安全性已被反复讨论 ，尤其是在保持内容的真实性和防止闯入者方面。 但简而言之，HTTP链接是数据隐私的噩梦。 因此，阿联酋航空不仅将用户信息传递给自行实施的第三方跟踪器，而且还允许网络对手访问所谓的“私人”页面。

第三方可以访问哪些信息？ (What kind of information can third-parties access?)

Links mentioned in (1) and (2) are currently being sent to the third-parties.

(1)和(2)中提到的链接当前正在发送给第三方。

Following fields take home the URL, which gives access to booking details.

以下字段带回URL，可访问预订详细信息。

Anyone who has access to these links can not only read but also edit the information that I as a user can.

有权访问这些链接的任何人都不仅可以阅读，而且可以编辑我作为用户的信息。

For example, they can now -

例如，他们现在可以-

1. Change or Cancel flight
   更改或取消航班
2. Change seat or meal preference
   更改座位或用餐偏好
3. Add more products to the booking
   在预订中添加更多产品
4. Change or add Passport Information
   更改或添加护照信息
5. Change or add Frequent Flyer Information, etc.
   更改或添加飞行常客信息等

Exhibit of editable personal information on this page:

在此页面上显示可编辑的个人信息：

a. Full Name:

一个。 全名：

b. Skywards number

b。 天空号

c. Email ID / Telephone number:

C。 电子邮件ID /电话号码：

d. Amount Paid, fare breakup.

d。 已付金额，票价分手。

e. Passport details, Nationality, Date of birth, Gender

e。 护照详细信息，国籍，出生日期，性别

Note: In October 2017, fields such as Passport Number, Email Id and Telephone number were shown to be masked on the User Interface but were not obfuscated in source code. The web app has been revamped since then and these fields are now obfuscated.

注意：在2017年10月，“护照号码”，“电子邮件ID”和“电话号码”等字段在用户界面上显示为被屏蔽，但在源代码中并未被混淆。 此后，Web应用程序已进行了改进，并且现在混淆了这些字段。

I decided to take a peek into the mobile app and see if the past catches up with the present, and lo and behold there it was in its full glory — Passport Number, Email ID and Telephone number in plain text. What was obfuscated on the web app was easy to access on the mobile app.

我决定看一看移动应用程序，看看过去是否赶上了现在，并发现那里是它的全部荣耀-护照号码，电子邮件ID和纯文本电话号码。 Web应用程序上模糊不清的内容很容易在移动应用程序上访问。

Now, what is wrong with this?

现在，这有什么问题？

This issue is not only limited to Emirates, a lot of airlines like Lufthansa, KLM (last checked on October 2017) suffer from the same issues.

该问题不仅限于阿联酋航空，汉莎航空，荷航(最近于2017年10月检查)等许多航空公司也遇到了同样的问题。

Every website uses third party trackers for improving their product and provide better web-usage experience. Data leaks are often considered collateral-damage and sometimes not even considered at all while implementation of such trackers.

每个网站都使用第三方跟踪器来改进其产品并提供更好的网络使用体验。 数据泄漏通常被认为是附带损害，有时在实施此类跟踪器时甚至根本没有考虑。

Most of these third-parties are present on a lot of other websites and use long term identifiers like cookies etc to track users across domains. Now because one of the websites, in this case Emirates, leaks private information, these companies now potentially can not only link the user’s activity across web, but also identify who the user is.

这些第三方大多数都存在于许多其他网站上，并使用cookie等长期标识符来跨域跟踪用户。 现在，由于其中一个网站(在本例中为阿联酋航空)泄漏了私人信息，因此这些公司现在不仅可以通过网络链接用户的活动，还可以识别用户的身份。

The questions that need answering by Emirates (and others) are -

阿联酋航空(及其他国家)需要回答的问题是-

1. Why was my booking information passed on to these third parties without my explicit consent.
   为什么未经我的明确同意，我的预订信息会传递给这些第三方。
2. Why do these third parties need to receive this information?
   为什么这些第三方需要接收此信息？
3. Is Emirates even aware that sensitive user information is being leaked to these third parties?
   阿联酋航空是否还知道敏感的用户信息正在泄露给这些第三方？
4. Who are these third parties?
   这些第三方是谁？
5. What are they doing with user information?
   他们在处理用户信息吗？

向阿联酋报告 (Reporting it to Emirates)

In the wake of responsible behaviour, on discovering these serious security flaws that violate user-data privacy, I decided to flag them to Emirates through Twitter DM in October 2017. Please note that I could not find a dedicated channel for reporting security bugs on Emirates website.

出于负责任的行为之后，在发现这些严重违反用户数据隐私的安全漏洞后，我决定于2017年10月通过Twitter DM将其标记为阿联酋航空。请注意，我找不到用于报告阿联酋安全漏洞的专用渠道。网站。

The Social Media Team immediately responded to my Twitter DM with a canned response but I was not ready to give up hope. I also wrote an email to the Product Manager highlighting the security flaws. I was met with a deafening silence.

社交媒体团队立即对我的Twitter DM做出了罐装回复，但我还没有准备放弃希望。 我还写了一封电子邮件给产品经理，重点介绍了安全漏洞。 我听到了震耳欲聋的沉默。

As of today (2018–03–03) lot of these issues still persists.

截至今天(2018-03-03)，许多问题仍然存在。

This is a serious violation of privacy, there is no point during the whole booking process, where I agreed upon sharing any of this personal information with any of these websites.

这是对隐私的严重侵犯，在整个预订过程中，我都同意与这些网站中的任何一个共享此个人信息，这一点毫无意义。

The privacy policy of Emirates itself is not very clear. It does mention some of the of these services, but not all or the what data being shared with them.

阿联酋航空本身的隐私政策不是很明确。 它确实提到了其中一些服务 ，但没有提及全部或与之共享的数据。

我可以不退出吗？ (Can I not opt-out?)

Not an option. Unfortunately, I could not find a way to opt-out of this system provided by Emirates. I finally had to fall back on using privacy preserving browser extensions.

别无选择。 不幸的是，我找不到退出阿联酋航空提供的此系统的方法。 我终于不得不退而求其次使用保留隐私的浏览器扩展。

阿联酋航空不能解决此问题吗？ (Can this not be fixed by Emirates?)

As a Software Engineer who has worked for the some of the largest eCommerce companies, I understand the need to use third party services for optimising and enhancing not only the Digital Product but also how user interacts with the product.

作为在一些大型电子商务公司工作的软件工程师，我理解使用第三方服务来优化和增强数字产品以及用户与产品交互的方式的需求。

It is not the usage of third party services that is of concern here in this case but the implementation of these services. Emirates has the control of their website and what the website shares with third party services. It is this control that needs to be exercised to limit the leakage of User information.

在这种情况下，关注的不是第三方服务的使用，而是这些服务的实现。 阿联酋航空可以控制其网站以及该网站与第三方服务共享的内容。 需要执行此控件来限制用户信息的泄漏。

It is not a mammoth task, it is just a matter of commitment to preserving the basic right to privacy.

这不是一项艰巨的任务，仅是对维护基本隐私权的承诺。

For example:

例如：

1. Private pages should have noindex meta tags.

   私有页面应具有noindex元标记 。

2. Limit the presence of third-party services on private pages.
   限制私人页面上存在第三方服务。

3. Referrer-Policy on pages with sensitive data.

   具有敏感数据的页面上的引荐来源网址政策 。

4. Implement CSP and SRI. Even with a huge footprint of third-party services CSP, SRI are not enabled on Emirates.com

   实施CSP和SRI。 即使有大量第三方服务CSP ，Emirates.com上也未启用SRI

5. User needs to be informed when sensitive information like passport, contact details etc. is updated, edited, or deleted.
   当诸如护照，联系方式等敏感信息被更新，编辑或删除时，需要通知用户。

6. Domain for sending e-mails : track.emirates.email, should have a valid certificate. https://track.emirates.email/

   发送电子邮件的域：track.emirates.email，应具有有效的证书。 https://track.emirates.email/

If you are interested in reading more about the presence of trackers on your favourite websites, I highly recommend checking out WhoTracksMe.

如果您有兴趣阅读更多有关在您喜欢的网站上是否存在跟踪器的信息，我强烈建议您查看WhoTracksMe 。

Updates:

更新：

- March 6th, 2018:

-2018年3月6日：

Emirates responded with a standard statement.

阿联酋航空回复了标准声明。

Excerpt: “The depiction in Mr Modi’s article as to what data is being shared, or customer choice in ‘opting out’ is inaccurate.”

摘录：“ Modi先生的文章中关于共享哪些数据的描述，或者客户在“选择退出”中的选择是不准确的。”

Here is my response: Privacy leaks round-trip: Emirates.com in denial

这是我的回复： 隐私泄漏往返：Emirates.com拒绝

Happy Hacking!

快乐黑客！

- Konark Modi

-Konark Modi

Thanks for reading and sharing ! :)

感谢您的阅读和分享！ :)

If you liked this story, feel free to ??? a few times (Up to 50 times. Seriously).

如果您喜欢这个故事，请随时??? 几次(最多50次。严重)。

Credits: Special thanks to Remi ,Pallavi for reviewing the post.

鸣谢：特别感谢Remi和Pallavi审阅了这篇文章。

翻译自: https://www.freecodecamp.org/news/how-airlines-dont-care-about-your-privacy-case-study-emirates-com-6271b3b8474b/