Software bugs problematic, too; 284 KrisFlyers members’ details shown

​HACKING is usually the cause of data breaches.

But it is not the only one as shown by what happened to Singapore Airlines’ (SIA) Krisflyer members’ personal details that were disclosed on January 4, The Strait Times reported on Sunday, January 6.

What seems to be the cause if not cyber-attack (hacking)?

The cause, as it turns out, of the leak of the members’ personal details was “software bug.”

SDN — Science and Digital News first came to learn about the incident through an email from McGallen & Bolden public relations agency.

Mainstream media today (January 7) covered a news that 284 Singapore Airlines KrisFlyer members’ personal details have been disclosed, not through a hack, but through a software bug, the email said.

“While hacks are more prevalent these days, the crux is that software bugs are equally problematic. Software bugs can create vulnerabilities which in turn expose companies to data loss, privacy lapses, and even hacks. The notion of “Shift Left”, where software should be designed to work, as well as being secure in the first place, is beginning to find traction in CEOs of companies worldwide.”krisflyer airplane - Science and Digital NewsAll images courtesy of Pixabay.

The Strait Times quoted an SIA spokesperson about the incident.

“We have been made aware of a number of cases in which a customer logged in to his or her KrisFlyer account, under certain specific conditions, may have been able to see selective details of another customer,” the spokesperson said.

The details that were seen by others included names, email addresses, account numbers, membership tier statuses, KrisFlyer miles and rewards, travel history and in seven cases, passport details.

It appeared that the “breach occurred when any two members log in to their KrisFlyer accounts and access transactions displaying their membership information at the same time, while also being assigned the same server by the system,” The Straight Times citing the spokesperson’s words.

Meanwhile, SIA assured that there was no changes made to the accounts of members and no credit card details were revealed, at the same time giving the figure of 284 total cases of what happened.

“We have established that this was a one-off software bug and was not the result of external party’s breach of our systems or members’ accounts,” the Asian airlines said.

It added that  it was communicating with affected customers even as the airlines also on its own informed the Personal Data Protection Commission (PDPC).

The incident has prompted an official of Synopsys, Nabil Hannan, managing principal of Software Integrity Group, to weigh in on the SIA KrisFlyer software bug situation.

His take:

“This is a very common bug, specially in applications where the authentication and authorization schemes are not designed well. In particular, when building the application, it is most likely that there were some basic flaws in the design of how authentication is performed to determine who can access what data. As a result, some simple changes made in the application could have resulted in some type of race conditions (i.e. undesirable conditions) and horizontal privilege escalation type of situation showing one customer a different customer’s private/sensitive information.

“These types of bugs can be easily avoided, however, but doing so requires having various security related checkpoints throughout the SDLC (Software Development Life Cycle). Typical QA testing just isn’t enough to catch these types of issues since we know that most QA testers usually test the “happy path” and in some cases at their discretion perform edge/boundary test cases. Some security touchpoint that could have helped are: a) proper security requirements on how to protect data and do proper authentication, b) misuse and abuse cases on how attackers may try to extract sensitive information from the application, c) performing security assessments like secure code review or penetration tests on a regular cadence to look for similar vulnerabilities, etc.”

Synopsys is an American company “at the heart of innovations in the new era of Smart, Secure Everything…from Silicon to Software.” (Synopsys)

Don't be shy, comments are welcome! Thank you.

This site uses Akismet to reduce spam. Learn how your comment data is processed.