14 DAY TRIAL // Southwest Airlines has finally ceded to update its flawed iPhone app after warnings from a computer science student and coverage by several news stations and newspapers over the course of three months.
Via Slashdot comes word that a masters computer science student at the University of Colorado (Colorado Springs) discovered a major security flaw in Southwest Airlines’ iPhone app in December.
The company failed to patch the software until yesterday, leaving its users’ private information vulnerable for months.
“…in November I performed a security audit of 230+ popular iOS applications because I wanted to know how secure apps on smartphones and tablets really are,” the computer whiz wrote on February 12.
“I made a shocking discovery. The largest single potential security breach was with the Southwest Airlines application. Southwest Airlines' iPhone app leaves a user's information vulnerable to hackers. When you login to the application on your phone using your Rapid Rewards account, the app submits your username and password information as plain-text (unencrypted) to a Southwest remote server (mobile.southwest.com),” he explained.
He proceeded to offer a few examples of how this vulnerability could be exploited by hackers (including booking an expensive flight in the victim’s name), and advised everyone to steer clear of the app until a patch is made available.
“I contacted Southwest when the vulnerability was found in early December and they still have not released a patch as of today and they have never contacted me back about the vulnerability,” he said. “Until the security flaw is fixed, the best solution is to not use the application.”
The computer expert added that local NBC and ABC news stations and the Denver Post covered the story as well.
And wouldn’t you know it - Southwest just released a new version of their iPhone app the other day, with the following changelog: “Update specific login features for Rapid Rewards accounts to fix security vulnerability when logging into account.”
Editor’s note Good job Southwest! The least you could do is answer this guy’s email and thank him you didn’t make the news for a terrorist attack.