阿联酋gitex

by Konark Modi

通过Konark Modi

航空公司网站不在乎您的隐私后续行动：阿联酋航空对我的文章进行了全面否认 (Airline websites don’t care about your privacy follow-up: Emirates responds to my article with full-on denial)

Yesterday, The Register wrote about my exposé on the privacy failings of airline websites.

昨天， The Register记录了我关于航空公司网站隐私失灵的经历 。

When I published my original article last Friday, Emirates had failed to respond to my request for comments. But Emirates did respond to The Register, with the following statement:

当我上周五发表原始文章时，阿联酋航空没有回应我的置评请求。 但是，阿联酋航空确实对《名册》做出了回应，声明如下：

Their statement is not only vague — it is factually incorrect. And I feel it’s my professional duty to call them out on this.

他们的陈述不仅含糊不清-实际上是不正确的。 我觉得召集这些人员是我的专业职责。

他们的陈述的细目分类，以及当您真正考虑它们时逻辑如何分解 (A breakdown of their statement, and how their logic breaks down when you really think about it)

第1期 (Issue 1)

First Emirates says, “We can confirm that none of the security vulnerabilities highlighted will allow a breach (unauthorised access) of personal data on our website or mobile app.”

第一阿联酋航空表示：“ 我们可以确认突出显示的所有安全漏洞都不会破坏(未经授权的访问)我们网站或移动应用程序上的个人数据。”

How does Emirates define breach? Well, Wikipedia defines a data breach like this:

阿联酋航空如何定义违约行为？ 好吧，维基百科定义了如下数据泄露：

“A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorised to do so.”

“数据泄露是一种安全事件，其中敏感，受保护或机密数据被未经授权的个人复制，传输，查看，窃取或使用。”

In its Privacy Policy, Emirates highlights the importance of safeguarding Booking Reference information:

阿联酋航空在其隐私政策中强调了保护预订参考信息的重要性：

Update 8th March, 2018: Another exhibit how Emirates seems to have forgotten to pay heed to their own advice “keep your Booking Reference safe” and is still sending it to Google Analytics from mobile app, via key:cd8 (unmasked). I have masked the fields in the picture to ensure Privacy.

2018年3月8日更新：另一个展览展示了阿联酋航空似乎忘记了他们自己的建议“保持您的预订参考资料安全” ，并且仍通过key：cd8 (未屏蔽)从移动应用程序将其发送到Google Analytics(分析)。 我已遮盖图片中的字段，以确保隐私。

For any changes to an existing booking, a Booking Reference number and Last name is all that is required. There is no requirement to verify who initially made the booking and whether the person making the changes is authorised to do so or not.

对于现有预订的任何更改，仅需提供预订参考号和姓氏 。 无需验证最初由谁进行预订，以及是否有权进行更改的人。

Emirates.com and the Emirates mobile app version (6.1.0) both allow access to their Manage Booking section based only on these two data points. This a standard practice across airlines, and this is not the point of contention for the purposes of this article.

Emirates.com和阿联酋移动应用程序的版本(6.1.0)都允许访问仅仅基于这两个数据点的管理预订部分。 这是跨航空公司的一种标准做法，这并不是本文讨论的重点。

但这是令人担忧的 (But this is when it gets worrisome)

As of March 6th, 2018, Booking Reference number and Last Name, among many other data points, are still being sent to the third-parties implemented. Does Crazy Egg, Boxever, Coremetrics need Booking Reference Number and Last name for showing Heat Map of the page? I don’t think so.

截至2018年3月6日，预订参考号和姓氏以及许多其他数据点仍在发送给已实施的第三方。 Crazy Egg，Boxever，Coremetrics是否需要预订参考号和姓氏才能显示页面的热图？ 我不这么认为。

This is the problem area — passing on user’s personal information to third parties who have absolutely no need for this information to render their services to Emirates “for the purpose of improving the online browsing experience.”

这就是问题所在–将用户的个人信息传递给完全不需要此信息的第三方以向阿联酋航空提供服务， “目的是改善在线浏览体验。”

The importance of using HTTPS links has been established over and over again by everyone who is anyone in the field of Technology. HTTP links are not only vulnerable to Man-In-The-Middle attacks but can also suffer from injection of malicious data.

使用HTTPS链接的重要性已经被技术领域的每个人一遍又一遍地确立。 HTTP链接不仅容易受到中间人攻击，而且还会遭受恶意数据的注入。

I am not sure how Emirates is confident enough to “confirm that none of the security vulnerabilities highlighted in (Mr. Modi’s) article will allow a breach (unauthorized access) of personal data on our website or mobile app” when track.emirates.email still does not have any SSL. How do they plan to avoid Man-in-the-Middle attacks?

我不确定阿联酋航空是否有足够信心来“确认 track.emirates.email 中(莫迪先生的文章中强调的任何安全漏洞都不会泄露(未经授权的访问)我们网站或移动应用程序上的个人数据”)仍然没有任何SSL。 他们如何计划避免中间人攻击？

第2期 (Issue 2)

Emirates says, “Whilst we do use a number of third party analytical tools on our sites for the purpose of improving the online browsing experience, we continually review how these are implemented.”

阿联酋航空表示： “尽管我们确实在网站上使用了许多第三方分析工具来改善在线浏览体验，但我们仍在不断审查这些实施方式。”

I shared in the article how Passport information and contact details were earlier un-obfuscated on both website and Mobile app. While the website was fixed when I checked last in February 2018, the mobile app continues to be problematic in this area. This can happen only when there is a lack of communication between the Website and Mobile Development Team or they did not “continually review the implementation” across all products.

我在文章中分享了如何在网站和移动应用程序上使护照信息和联系方式更加清晰。 当我在2018年2月上次检查时修复了网站时，该移动应用在这方面仍然存在问题。 只有在网站与移动开发团队之间缺乏沟通，或者他们没有“持续审查所有产品的实施情况”时，才会发生这种情况。

Another question that begs to be answered is what are the parameters for reviewing the implementation of third parties. Unless the mandate is strictly to NOT leak any kind of user-information, the reviews could be of anything and would not have the slightest impact on the security and vulnerability of user information being freely passed on the third parties.

另一个需要回答的问题是，审查第三方实施情况的参数是什么。 除非严格授权不要泄漏任何类型的用户信息，否则审核可能会涉及任何内容，并且不会对第三方自由传递的用户信息的安全性和漏洞产生丝毫影响。

The last time this issue was highlighted to Emirates was in October 2017. In the 5 months that have passed since then these issues were not picked up by the review team. Maybe they are not as “continuous” as Emirates claims them to be.

此问题上一次向阿联酋航空突出是在2017年10月。从那时起的5个月内，审核小组没有发现这些问题。 也许它们不像阿联酋航空所声称的那样“连续” 。

问题＃3 (Issue #3)

Emirates says, “Customers can find out more about how we use personal data and how they can opt out by reading our privacy policy on emirates.com”

阿联酋航空表示： “客户可以阅读emirates.com上的隐私政策，以了解有关我们如何使用个人数据以及他们如何退出的更多信息”

Upon a thorough review of Emirates’ Privacy & Cookie Policy, these are the points to note:

在全面审查阿联酋航空的“隐私和Cookie政策”后 ，需要注意以下几点：

1. It does not list ALL the implemented third-parties and the information being shared with them. Third parties like Boxever, ads-twitter.com, Coremetrics, Imigix, bing and many other that I had aggregated from their website are not even mentioned in their Privacy Policy.

1.它不会列出所有已实现的第三方以及与其共享的信息。 我从他们的网站汇总的Boxever，ads-twitter.com，Coremetrics，Imigix，bing和许多其他第三方都没有在其隐私权政策中提及。

2. Opt-out options available only mentions ways using about cookies, YourOnlineChoices. This means that not only the information provided in Privacy Policy is incomplete but also does not share any options to opt-out of services CrazyEgg, BoxEver, Coremetrics etc. The process is tedious and cumbersome.

2.可用的退出选项仅提及使用cookie，YourOnlineChoices的方式。 这意味着不仅隐私政策中提供的信息不完整，而且不共享任何选择退出服务CrazyEgg，BoxEver，Coremetrics等的选择。此过程既繁琐又麻烦。

3. The option to opt-out is biased based on the country of residence of the users. If you are a resident of EU you can use this link to opt-out. If you are a resident of USA this is the link to opt-out. But if you are a resident of any other region, I am sorry to break it to you that you have been short-changed.

3.选择退出的选项因用户的居住国而异。 如果您是欧盟居民，则可以使用此链接选择退出。 如果您是美国居民，这是退出的链接。 但是，如果您是任何其他地区的居民，很抱歉将您的身份更改给了您。

4. Opting-out of cookies is not going to have any impact on the data leaks highlighted in the article because the referrer is not being cleaned. Anybody with basic tech knowledge can confirm this.

4.选择退出cookie不会对本文中突出显示的数据泄漏有任何影响，因为没有清理引荐来源网址。 任何具有基本技术知识的人都可以确认这一点。

简而言之 (In Short)

Even if the user somehow manages to opt-out of all the trackers using the methods listed and not listed, Emirates will still leak the Booking Reference and Last Name which is enough to access all other sensitive information because the implementation of these third-party services on Emirates.com is flawed.

即使用户以某种方式设法使用列出的和未列出的方法选择退出所有跟踪器，阿联酋航空仍会泄漏预订参考和姓氏，这足以访问所有其他敏感信息，因为这些第三方服务的实施在Emirates.com上存在缺陷。

Emirates needs to understand that once the information has been shared with third-parties, there is very little they can do to control how it is being used or might be used in the future, as they have themselves mentioned in their privacy policy.

阿联酋航空需要了解，一旦与第三方共享了信息，他们就无法控制其使用方式或将来可能使用的方式，正如他们在隐私政策中提到的那样。

It is one thing for Emirates to think that these issues are not critical enough for them to take necessary actions to fix them. It’s an entirely different thing to say that the information shared in the article is “not true”.

对于阿联酋航空来说，认为这些问题对他们采取必要的行动加以解决还不够关键。 说文章中共享的信息“不正确”是完全不同的。

I hope they fix these issues sooner rather than later.

我希望他们早日解决这些问题。

Happy Hacking !

快乐黑客！

- Konark Modi

-Konark Modi

Thanks for reading and sharing ! :)

感谢您的阅读和分享！ :)

If you liked this story, feel free to ??? a few times (Up to 50 times. Seriously).

如果您喜欢这个故事，请随时??? 几次(最多50次。严重)。

Credits: Special thanks to Remi , Pallavi for reviewing this post too :)

鸣谢：特别感谢Remi和Pallavi也评论了这篇文章：)

翻译自: https://www.freecodecamp.org/news/privacy-leaks-round-trip-emirates-com-in-denial-7f99950bcdd/

阿联酋gitex