SIK-2017-002

Title:

Http URLs in Lufthansa App

Report ID

SIK-2017-002

Summary:

Vendor: Deutsche Lufthansa AG
Product: Lufthansa App
Affected Version: 5.6.1
Severity: low
Short summary:

Some URLs that open in the browser use http instead of https.

Details:

In the Lufthansa app, the user can click on „Travel Guide“. This function opens the web browser to http://travelguide.lufthansa.com/?APP=1, which uses http instead of https. The web server also supports https, which makes this an unnecessary vulnerability. An attacker can intercept this request and provide the user with a fake website for a phishing attack.

Workaround

Do not use the „Travel Guide“ feature in the app, but directly open the browser to the respective website using https.

Suggested Mitigation

Always use https if the server supports it.

Timeline

2017-01-10: Vulnerability Discovered.
2017-02-15: Reported
2017-02-28: Fixed