Privacy breach: Greyhound Australia ticketing system flawed

Sometimes we take for granted the simple security measures put in place to protect our privacy.  Take for example the need to enter both your booking reference number, and your surname into an airline website before you can see a copy of the e-ticket for travel.  Now imagine you could just enter any set of random numbers and no other details to bring up the itinerary of someone who has booked a bus journey – it’s a huge security hole which leaves the privacy of thousands of travellers wide open and it happened right here in Australia to Greyhound Australia.

Exposed tonight on Channel 9’s A Current Affair by reporter Rohan Wenn this simple error meant that by simply typing in any series of digits into the URL (Web Address) used by passengers to download their own e-ticket would likely show you another travellers name and itinerary plus the price they paid.

 

A full passenger itinerary – available simply by changing the Ticket Number in the web URL

While at the face of it this could be seen as a small problem, consider the privacy that should come with someone’s travel itinerary.  Is the person meant to be away from work, does their family know they are going away, and perhaps most alarmingly what could a potential burglar do with the information – knowing you are away from home for a set period.

Greyhound sent A Current Affair a written statement 4 days after being told of the bungle. They thanked A Current Affair for telling them about the “potential breach in privacy”, however as reporter Rohan Wenn points out “there was nothing potential about it. It actually happened.

They also tried to downplay its seriousness by pointing out they hadn’t received any customer complaints about the issue”

In the story that aired tonight, Rohan approached travellers whose itineraries he had found on the site  “They were all very surprised to see us and understandably more surprised to discover we had copies of their tickets. We approached them simply to see if what we had uncovered was correct, that we had found real, existing tickets for future dates. Unfortunately, it was correct.”

One passenger in particular was extremely disturbed, fearing for her safety if someone in her life knew her whereabouts. Obviously, we did not put her to air in our story.”

Since the investigation by A Current Affair the site has removed the online ticketing flaw, and while that should give some comfort to those travelling it does little to change the fact that the flaw existed – probably for as long as the company has had an online e-ticket download service.

The flaw was this simple – you are at a website where the PDF ticket for your journey is available to print or save.  The Website URL (Address) ends with your own ticket number. Increase that number by 1 or any number, and you’ll likely find someone else’s valid ticket.

Ticket Number corresponded to the website URL

How could this happen?  Well it is quite possible that the idea of a “downloadable ticket” was created along with a website and IT upgrade at the company, and with web development being a straight forward “give them what they want” driven process, the checks, balances and steps that larger travel organisations would put in place were simply not considered.

Begs the question – what other ticketing sites might suffer from the same simple flaw?

Greyhound offered no explanation for the error, only a simple “thank you” for contacting them, and that they’d fixed the problem.

Watch the full story from A Current Affair at their website: http://aca.ninemsn.com.au

Recent Posts

  • Tech

Peloton are going AI with Peloton IQ, launching alongside a new cross training series of devices

Peloton is the latest company to introduce AI to its portfolio with AI-powered coaching, known…

22 hours ago
  • Tech

Microsoft revamps Xbox Game Pass plans offering more but with a price jump

Ahead of the launch of their XBox ROG ALLY handhelds later this month, Microsoft have…

2 days ago
  • Tech

NBA Bounce is the fun-filled basketball game for the whole family

Basketball is incredibly popular among kids of all ages, but for many, the more advanced…

2 days ago
  • Tech

Google announces new Gemini-first home devices including Nest Cameras, Google Home speaker & improvements to Home app

Google has announced an updated range of Nest devices overnight, including new cameras, doorbell and…

2 days ago
  • Tech

Beats unveil the evolution of their fitness earbuds with the new Powerbeats Fit

Beats has today introduced the Powerbeats Fit, the next generation of the Beats Fit Pro…

3 days ago
  • Lifestyle

NBA 2K26 is bringing the ‘House of 2K’ to Melbourne Park this weekend as part of the NBAxNBL Melbourne series

Basketball, the NBA and the NBL are rocking Melbourne this weekend with Zion Williamson's New…

3 days ago