(The article has been amended to carry the statement below: "As of a call with easyJet that concluded at 14.05 on Wednesday 9th December, Wandera is pleased to say that it easyJet has confirmed that this is no longer an ongoing issue." – Eldar Tuvey, CEO and co-founder Wandera.)
Another major security hole has been discovered, and this time it involves financial information as well as personal data, with the leakage of credit card details during purchases from certain firm's mobile websites and apps.
HTTPS failure
Perhaps even more worrying is the basic nature of this vulnerability, as the leak is occurring because these organisations' sites and apps are not using HTTPS to encrypt the data being sent from the phone to the company. Instead, the sensitive financial details are simply being transmitted over a standard HTTP connection, leaving them open to interception and subsequent misuse.
Isn't HTTPS a requirement in such transactions? Indeed it is stipulated by PCI DSS (Payment Card Industry Data Security Standards) that any sensitive information must be encrypted when being transmitted over public networks, for obvious reasons.
Eldar Tuvey, CEO of Wandera, commented: "We believe there are two likely reasons why HTTPS has not been used. It could be a flaw in the coding, or it could be a case of relying on inadequate third-party services or libraries. Either way, it's astounding to me that these companies have failed to exercise sufficient care in the collection of their customers' personal data."
There could well be other companies afflicted by the same flaw, too. Meanwhile, the above firms have already been notified of this problem, and are hopefully taking action (or have already taken it).