Spirit Airlines is known for their low airfare prices. Unfortunately, those low prices tend to show themselves in a lack of budget or concern where it may be needed.
Today I discovered a way to look up a customer’s name, ZIP code, primary airport, and account number on Spirit’s website using only an email address.
The process is simple: head over to https://www.spirit.com/ and hit the big “SIGN-UP NOW!” button for coupons and deals. If you are already signed up for discount flights, then they have your information and it’ll be displayed in GIANT LETTERS.
To those who technical knowledge, you can also find a user’s ZIP code and account number. Look for the string format:
mn=fname=[FIRST NAME]&uid=[ACCOUNT NUMBER]&z=[ZIP CODE] in a cookie that they send back. I used Charles to find that data, so give that a try if you’re having trouble.
Next steps for a malicious data-junkie: write a script to run thousands of known email addresses through the webpage and start gathering info. Optional: sell the names, airline account numbers, and ZIP codes online to the highest bidders.
While many may waive this minor data breach as nothing important, we should keep in mind that names and locations are sensitive customer information which can be stored and used in identity theft attempts. Just as bad, imagine them gaining access to your account through social engineering and using your saved credit card to purchase a flight in your name.
What are your thoughts on low-level security breaches like this? Reach me in the comments or on Twitter at @_alecoconnor.