Http URLs in Lufthansa App
- Vendor: Deutsche Lufthansa AG
- Product: Lufthansa App
- Affected Version: 5.6.1
- Severity: low
- Short summary:
Some URLs that open in the browser use http instead of https.
In the Lufthansa app, the user can click on „Travel Guide“. This function opens the web browser to http://travelguide.lufthansa.com/?APP=1, which uses http instead of https. The web server also supports https, which makes this an unnecessary vulnerability. An attacker can intercept this request and provide the user with a fake website for a phishing attack.
Do not use the „Travel Guide“ feature in the app, but directly open the browser to the respective website using https.
Always use https if the server supports it.
- 2017-01-10: Vulnerability Discovered.
- 2017-02-15: Reported
- 2017-02-28: Fixed