Heartbleed: Major travel sites like Expedia and Priceline appear to have dodged a bullet
It’s a computer bug with a name out of a James Bond movie: heartbleed. The security flaw, which exposes data to hackers, appears to threaten hundreds and possibly thousands of websites.
Respected US security expert (and not a sensationalist type) Bruce Schneier commented today:
“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.
Luckily major online travel companies appear to have dodged a bullet.
On April 8 Web professional Mustafa Al-Bassam ran a giant scan for vulnerable sites.
Many household brand travel sites received a clean bill of health from this scan.
AirAsia, AirFrance, Cheapflights, Cheapoair, CTrip, Expedia, Kayak, Skyscanner, and Orbitz weren’t using OpenSSL (Secure Socket Layers), one of the encryption protocols that many websites use — and which had the Heartbleed security hole in it.
The same scan found that other companies — Booking.com, British Airways, Delta, Flightradar24, HRS, Priceline, Travelocity, Trivago, United, Virgin Atlantic — were “not vulnerable”. The full list of major brands is here.
Any company that was vulnerable before Monday and that had to make a fix now faces a tough choice: Should it prompt its users (by e-mail) to change their passwords?
Or would such a message create undue alarm among customers?
All companies face a danger of phishing emails that masquerade as Heartbleed password change notices.
In other industries, some companies are opting not to prompt customers. Google told Reuters: “We fixed this bug early and Google users do not need to change their passwords.”
Meanwhile other web services, such as the to-do application Wunderlist, automatically disconnected users from their platform — requiring them to sign back in — and also emailed users insisting that they should change their passwords.
No data is known to be compromised. This step is seen as precautionary.
It’ll be interesting to see which approaches various travel companies take.
You can run your own scan to test if a website has updated its security by typing in the site’s web address at ssllabs.com/ssltest or filippo.io/Heartbleed. The latter attempts to extract a bit of memory from the site, as if it were a hacker, and notes if the site is vulnerable.
For more information, read heartbleed.com.
NB: Heartbleed logo designed by Leena Snidate of Codenomicon.