Thursday, February 29, 2024

Creating liberating content

Windows 11 build 26063...

The operating system now supports Wi-Fi 7, which brings wireless speeds of...

Waymo’s application to expand...

Waymo’s application to expand its robotaxi service in Los Angeles and San...

Neuralink’s First Brain Implant...

Some Neuralink rivals, such as Precision Neuroscience, are developing implants that sit...
HomeTechnologyMondee security lapse...

Mondee security lapse exposed flight itineraries and unencrypted credit card numbers


Travel giant Mondee has secured an exposed database that was spilling sensitive customer information, including detailed flight and hotel itineraries and unencrypted credit card numbers.

Anurag Sen, a good-faith security researcher known for discovering inadvertently exposed data on the internet, found the database and shared details with TechCrunch to alert the company.

According to Sen, the database was exposed to the internet without a password, allowing anyone to access the sensitive data inside using a web browser, just with its IP address. TechCrunch found that the database was also accessible from an easily-guessable subdomain of a Mondee subsidiary’s website.

Much of the data appears to relate to Mondee subsidiary TripPro, a travel agent platform used by tens of thousands of booking agents and travel startups allowing self-service flight ticketing and hotel booking.

The database, hosted on Oracle’s cloud, contained customer’s personal information, including names, gender, dates of birth, home addresses, flight information, and passport numbers. Some of the data seen by TechCrunch includes full customer passenger name records, or PNR, including ticket and booking details. TechCrunch has also seen customers’ full credit card numbers and expiry dates in the database, but none of the data was encrypted.

TechCrunch verified that the exposed data matches real people’s information. One person we spoke to confirmed their flight information was accurate and said they booked their flights through a popular booking site.

The database also contained non-customer testing data generated by Mondee developers.

The database was first spotted as exposed in late-July, according to a listing on Shodan, a search engine that crawls the web for exposed servers and databases. The circumstances of how the database became publicly accessible are not known, though database exposures are often misconfigurations caused by human error.

When reached by email, Mondee spokesperson Karen Gillo did not acknowledge the incident or provide comment. The database became inaccessible a short time after TechCrunch contacted Mondee.

It is not yet known if anyone other than Sen found the exposed database during the window it was accessible from the internet. TechCrunch asked Mondee if the company has the technical ability, such as logs, to determine what, if any, data was accessed or exfiltrated from the database.

Mondee did not say if it plans to notify affected customers of this data exposure.

Read more on TechCrunch:



Source link

Continue reading

Windows 11 build 26063 adds official support for Wi-Fi 7

The operating system now supports Wi-Fi 7, which brings wireless speeds of over 40 Gbps. Build 26063 also updates Copilot with more actions to...

Waymo’s application to expand California robotaxi operations paused by regulators

Waymo’s application to expand its robotaxi service in Los Angeles and San Mateo counties has been suspended for 120 days by the California...