Ryanair Insecurity

Economy airline Ryanair sees good security as "superfluous" according to a report by The H Security. Newspaper Der Tagesspiegel discovered that Ryanair's booking system gives a user three ways to verify their identity in order to modify their booking. One of those ways is by entering only three pieces of information:

  1. Date of flight
  2. Email address
  3. Origin and destination of flight

As Der Tagesspiegel points out, it is not hard to guess these details about someone you know based on their Facebook updates or simply asking them when they are going away.

Ryanair spokesman Daniel de Carvalho rejects concerns:

The experts consulted by the Tagesspiegel talking complete rubbish [sic]

He emphasised that it is each passenger's responsibility to keep their personal information secure. Umm...okay.

Most airlines have implemented this functionality properly, by using a unique piece of data only known by the airline and the passenger, such as a password or booking reference. And this is why they do that:

First of all, an email address is usually not considered secret, otherwise nobody would be able to email you. It may be on your business card, your website, your social networking profile and so on.

With regards to the other pieces of information, assuming the user does indeed keep them secure, how easy is it to guess them?

Let us start with the origin and destination of a flight. Each airport has a limited number of routes to other airports, so for example from Aberdeen you can only fly to Dublin, and from Dublin you can fly to 75 other airports. These routes are on the Ryanair web page in a JavaScript array called "Stations". Running the following Ruby command on the data told me how many permutations of origin and destination there are:

ruby -e 'n=0; File.readlines("stations.txt").each {|lines| n+= lines.scan(/"[A-Z]{3}"/).size-2}; puts n' 

The answer was 2488. If we knew someone's email address and were to write a script that programatically submitted requests to the Ryanair website at a relatively slow rate of 4 per second, it would take just over 10 minutes to check every flight permutation for a flight on a single date. To brute force every permutation against an email address for the whole of next month it would take just over 5 hours.

We haven't optimised it of course. Say you knew someone's email address, and knew they were based in the UK. It is a good bet they will be departing from an airport on the UK mainland. Running the Ruby command again for UK airports got it down to 394 permutations. Meaning you could scan next months flights for a target email address in about 49 minutes. Clearly it gets worse if the target lives in, say, Latvia, as the limited number of destinations means someone could scan the next six months worth of flights for a booking in about 10 minutes.

So, I think I will have to agree with the experts consulted by Der Tagesspiegel.