Do you want to travel for free? Do you want to use other people’s tickets for free? Do you wanna ruin their trip for the fun of it? In this post i will show you How to Hack and Get Free Flights from Nakhal Lebanon.
After hacking banks and several major Lebanese companies in 2013, I personally hoped that Lebanese companies in 2016 will start hardening their online security. I discontinued writing my security posts a while ago, and now I know that i should’ve never stopped, It was the wrong thing to do. Simply Because companies are not going to fix anything Without having someone like me pointing the finger at each simple and stupid security flaw.
Last August I booked my ticket to Barcelona with the Lebanese Travel Agency Nakhal. But it wasn’t till last Saturday that I decided to redeem my flights points on Vueling. I logged in to my personal email, and clicked on the link in my e-ticket which took to a page with the following link “http://nakhalonline.com/CharterFlights/CHFFlightTiming2.aspx?TicketNB=381650”.
A link which shows the ticket booked based on the Ticket Number, which is listed in the link it self. Try changing the numbers in the link and you will get access any ticket you want.
Simply change the last number in the url to 381680 and you will have access to ZEINA SULTANI’s flights information to Bodrum.
Theft and privacy.
While a normal internet user can simply change the numbers in the url randomly to get the ticket he wants, more advanced users are able to extract all the tickets database in minutes, using a program that loops through all the numbers from 0 till 1 million.
Why This information is dangerous?
Now that all the tickets information are available to download at ease. You can make use of anyone’s ticket; all you have to do is call Nakhal, pretend to be the owner of the ticket, give them the name on the ticket and the flight information, and request to transfer the ticket to your name. Name transfer usually costs 100$ with Nakhal. Another solution would be to bypass Nakhal and directly address the airline company and request them to change the name on the ticket. However The most evil thing that you can do is change the dates of the flight or cancel it, you can do that by using a fake number, and nobody will ever catch you.
Airlines data, and individuals privacy
Another way hackers can make use of this data, is by simply gathering the data and analyzing it, so that they can provide competitor airline insight on the flights on a certain Airline ( or even to a competitor agency ).
Whereas the most important part of this is consumer’s privacy; Sadly Nakhal is not the only company in Lebanon, who is abusing consumers privacy right. Ogero, LIU, AUST, and many other institutions/companies are doing the same. The main problem is the absence of laws that protect Lebanese consumers privacy. As internet laws in Lebanon are almost non-existing, and the only way online criminals are being prosecuted is by relating online crimes to existing Lebanese laws.
How difficult is it to fix this issue and protect online consumers:
Fixing this problem is easy, and takes roughly an hour to fix. All the agency has to do is request the last name of the traveler on the affected page. That alone will prevent most of unauthorized access to traveler’s data. However in case Nakhal and other websites want to implement an additional layer of security, another simple solution will be to add a security token that validates data integrity with each request. In other words they add an encrypted version of all the data sent in addition to a private key only known by their system.
How to Hack and Get Free Flights from Nakhal Lebanon, was written to shed the light on the lack of online privacy and security in Lebanese websites. Although Nakhal was taken as an example in this post, no harm is intended to Nakhal. Ogero, LIU and AUST were mentioned as examples without listing the details of their security bugs.