Poor security at Thomas Cook airlines leads to simple extraction of fliers’ personal data

Bad news if your partner doesn’t know who you took on that ‘business trip’…

Poor security at Thomas Cook airlines leads to simple extraction of fliers' personal data

Thousands of holidaymakers relying upon Thomas Cook Airlines to get them to their vacation may have had their personal information put at risk due to sloppy security.

Roy Solberg, a programmer in Norway, discovered that it was possible to retrieve the following information from Thomas Cook Airlines’ systems using only a booking reference number:

  • Full name of all travelers on that booking
  • Email address of person registering the booking
  • Departure:
    • Date
    • Airport
    • Flight number
  • Return:
    • Date
    • Airport
    • Flight number

Solberg discovered that trips booked through the travel agency Ving, whose parent company is Thomas Cook, are assigned incremental booking reference numbers. In other words, you can reach other customers’ details simply by subtracting or incrementing the reference number in a URL.

Sign up to our free newsletter.
Security news, advice, and tips.

This is known as an Insecure Direct Object Reference (IDOR) and is not only a commonly-encountered problems on poorly-designed web applications, but also easy for an attacker to exploit.

In his tests, Solberg says that he was able to use the technique to see details of trips as far back as 2013, through to 2019. The bug finder believes that he could easily have written a computer program to loop through possible booking reference numbers and extract the personal details of most customers and their trips.

Solberg says that data of bookings made with Thomas Cook Airlines through Ving Norway, Ving Sweden, Spies Denmark and Apollo Norway were affected by the vulnerability, but it seems perfectly plausible that other sites may be similarly impacted.

Aside from other privacy concerns (airlines will not normally confirm who is booked on what flight) such information could also be used in targeted phishing attacks claiming to come from a travel operator.

And if there’s more than one person travelling on the same booking, they would be visible too.

Which, as Solberg explains, is potentially another concern for those wishing to keep the details of their trip private:

“Some people might not like that you can see who they travelled with on vacation maybe 5 years ago. (‘Didn’t you say you were going to that job conference in Stockholm? And who is this you were travelling with?’)”

Solberg details on his blog how difficult it was to receive a timely response from Thomas Cook Airlines about the security vulnerability, although he does note that it has now been resolved.

Of course, we have little way of knowing if anyone exploited the security vulnerability in the past five-or-so years.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.