Flight Centre Travel Group (Australia based MNC)
dataBase Dump for fcm.travel :-
dataBase Dump for flightcentreassociates.com :-
Password for zip: whiteHatMrNervous(fcm.travel -> awp_users file contains encrypted passwords for 165 users including admin + email, phone etc. Other tables include email conversation between their customer/staff been carried online via website; flightcentreassociates.com -> shopdetails, tours contain confidential information valuable for competitors)
Vulnerability Details (Important): Flight Centre Travel Group uses ‘Parallels Plesk Panel’ for online login to server which is vulnerable to SQL Injection, Cross site scripting (XSS), Denial of Service, Remote Code Execution, Authentication Bypass, etc. I believe Parallels Plesk Panel current updated version might not be vulnerable to SQL Injection exploited here, but Flight Centre Travel Group’s IT Team had not updated theirs to the latest bug free version. It is because of this that I was able to exploit SQL Injection vulnerability to get access to their database. And then I asked them if the would pay a bug bounty for what I found. They didn’t reply, the very next day I published their leaked database online. Flight Centre Travel Group has not yet been able to catch me for this leak, now as they know Parallels Plesk Panel was at fault and is responsible for their database leak, they might want to take them to court.
Being a whiteHat, I would strongly recommend Flight Centre Travel Group to upgrade Parallels Plesk Panel on all their domains / sub-domains to the latest version available onhttp://www.parallels.com/products/plesk. Only changing the sub domain for login from admin.fcm.travel or admin2.fcm.travel to any other does not protect you from any attacks. As I get list of all your sub domains using dns-mapping. I saw you removed login page from admin2.fcm.travel & admin.fcm.travel, but that move is no good. Please hire some good professional in your IT team, which do regularly check if the technologies they are using are obsolete or not. Lets hope such attacks do not occur again, lets hope that you will take a lesson from this and will not give me another chance to compromise your security and flee with your data in my bag.
Summary:
| Date First Contacted | : | February 09, 2014 |
| Reward demanded | : | USD 5,000 |
| Any Reward Paid | : | No |
| Communication Channel | : | No Reply |
| Vulnerability List | : | SQL Injection |
| Infected object | : | Main domain |
| Retest Infection | : | Definitely will(Vulnerability exists as on 12 March 2014) |
| Leaked database dump/files | : | Yes |
| Received Respect | : | No |
| Received Appreciation for Intimation about Existence of Security Vulnerabilities | : | No |
| Hall of Fame | : | No |
It is really disheartening to see how vulnerable companies under Flight Centre Travel Group (Australia) are. Our details including our travel plans, contact details, etc are all stored by these Travel companies in their dataBase, which is now leaked only because their security is incompetent.
In Travel & Tourism Industry, Flight Centre Travel Group is a big name, a Multi National Company. They promise their clients that they are using best in class technology to gain confidence. While in reality, this is not the case. In addition to this, their staff also ignores a warning email sent to Flight Centre Travel Group informing them about the flaw in security. Now that they know, no one has yet gathered enough courage to come up and talk to the Pentester, provide him with a reward for finding flaw; and in-turn avoid this ShowUp. And they instead took a more drastic step which Amadeus IT Group, Abacus, Hindustan Book Agency, MatchMeCupid, SalesForce did not, they sent a notice under DMCA (Digital Media Copyright Act) for Copyright Infringement to take down the dataBase files uploaded by the pentester. This aggravated the whole situation and the pentester is now focussed on Flight Centre Travel Group of companies to find flaws in all of them and download their data to later publish it online. So that, next time they and any other company thinks twice before sending a Take Down notice or taking any action of any kind against the Tester.
Now it might just be the time, when the customers of Flight Centre Travel Group will rethink on whether they should continue to deal with this company as they do not actively monitor nor safeguard the security of their dataBase, which contains their client’s private data, contact details, and a lot.
If you are one of their Client or planning to deal with them for your travel plans, or if you even send them queries for travel plan, Please be informed that all the data you share with them will be all out there, published on the Internet. You might then want to file law suits against them if your confidential data is among the data which is leaked.
Flight Centre Travel Group, I will bring you on your knees!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Elizabeth Susan Carter – Photography
Store: http://goo.gl/kEa7ul
Facebook: http://goo.gl/mFei5t
Contact: http://goo.gl/ulA9Lm
About: http://goo.gl/pwPdiq
PortFolio:-
