That time Volaris exposed out data

Some time ago I found a bug on the Volaris website that allowed any computer, without any authorizations or special software, to access data concerning hundreds of thousands of bookings.

Each of the reservations contained the following information:

  • Payment data (card expiration date and amount)
  • Names of passengers
  • Travel itinerary (flight numbers, destination and schedule)

All this information available in a simple HTTP request (without secure socket layer!) that could be conducted from any web browser.

After reporting the problem by various means (and for 30 days), I got a reply from the E-commerce Manager requesting additional details.

Approximately eight months after knowing about the bug (which was never made public by me) Volaris launched a new website with a different platform, so the bug no longer exists. Apparently nobody paid due attention to the bug.

In the past, I have reported bugs that I found on other sites and this was by far the one that took longer to be addressed.

It would have been interesting to know how this issue was handled within Volaris –if it was handled at all–, to know how they manage their software development life cycle, or whether it is managed by another company. Besides knowing whether users have been affected.

Show your support

Clapping shows how much you appreciated Arturo León’s story.