JetBlue: The deadly sin of an otherwise great airline

I’ve been flying a lot between NYC and San Francisco. To be honest, I mostly fly Virgin America, but I know that JetBlue is also great, so I decided to give them a try. They even have WoofTop on terminal 5! How could you compete with that?

I flew with them 2 weeks ago, on July 29th. My flight was scheduled at 3pm, but got delayed for more than 3 hours. Very little explanation was given other than “the pilots are in Vegas”. No weather conditions in Vegas, I checked, so it must have been some sort of logistics issue.

I get it, coordinating hundreds of flights every day is hard, sometimes something goes wrong and your customers just have to take your apology. JetBlue were kind enough to give every passenger a $50 dollar credit on our accounts.

Great! I forgive you JetBlue! Let’s be friends again!

Except…

To give me my credit, JetBlue did 2 things wrong:

• They created an account on something called TravelBank using the wrong email address.
• They emailed me my password in plain text.

Forget about that first problem. I can even try to predict how it happened:

1. Gmail ignores dots in the middle of email addresses.
2. Some server operated by JetBlue removes dots in the middle of email addresses.
3. Some other server doesn’t…so they created 2 accounts…whatever, doesn’t matter. Let’s focus on the real issue.

They emailed me my password in plain text.

Not a generated password, but a password I typed into a text box weeks before. That happened. In 2016.

This is the electronic equivalent of storing millions of $1 bills with keys attached to them in a public place using a semi transparent safe, and then taking a picture of each key and sending it to the owner. Those keys probably work on other safes too, because unfortunately people still reuse their passwords. Not a perfect analogy, but it’s the best that I could come up with.

Since the bills are behind a safe, people assume they are safe, but they are not. That safe has weaknesses. Most importantly, thieves know where it is and what’s inside it. No competent security engineer would ever recommend to do this. The safe must be opaque and the location must be protected behind other security measures. Also, never store the keys.

You never store passwords.

You store salted hashes of those. Here is a Computerphile video of Tom Scott explaining this. Note the emphasis on “this is a monumentally bad idea”.

Google doesn’t know your password. Facebook doesn’t know your password. They don’t know it because they only store its salted hash. They cannot email it to you. All they can do is send you a link so that you can create a new one. If they get hacked, hackers can’t see your password, because it’s not stored anywhere! All they have is the salted hash of your password, which is very very hard to crack.

4 years later…

The most concerning part is that this serious security problem was pointed to JetBlue in July 2012. There is a BusinessInsider post about it. You can read it here.

I reached out to JetBlue on twitter. No reply yet. I called their customer support service and they said it was the first time it was pointed out to them. A friend of mine had the exact same issue 2 years ago, called them and they told him the issue was going to be resolved soon.

JetBlue is a great airline. They only need to get great at cybersecurity too. They need to hire a team of experts and upgrade their security systems to something that is more adequate to the day and age we live in, not their current system from the dark ages.

I have changed my password. I am afraid of transparent safes visible by everyone.