A BuzzFeed intern and NYU senior recently claimed to have hacked Delta's paperless boarding pass system by changing just one digit in a URL. "On Delta, you can change the URL of your boarding pass and get someone else's boarding pass," Dani Grant wrote in a Medium post. "Even if they're on a different airline." This seems crazy.
Could Delta's cyber security really be so shitty that tweaking a URL would give you access to someone else's boarding pass? We contacted Grant for more details, and she sent over two URLs. The first was apparently used on a November 6 flight between Los Angeles and San Francisco. Grant said she changed a single digit in the URL and saw someone else's boarding pass for a different flight. It takes a little bit of brute force, though. "It's luck of numbers," Grant said in an email. "Not every URL string corresponds to a valid boarding pass -- if you keep changing digits you'll find one."
We tried the same thing -- dozens of times -- and it didn't work. BuzzFeed and Mashable say they successfully replicated the hack, although all of the screenshots are the same as the ones Grant included in her original post. It's worth noting that all of these screenshots show boarding passes that are between one week and two months old. When pressed about the example that she gave Gizmodo, the college student said that the URL "seems to have expired."
It's also possible that Delta fixed the vulnerability when it was first reported. Grant acknowledged as much. "Another explanation is that URLs are set to expire after a set time, or have some sort of rate limiting -- they expire if too many people are clicking on them," she said. Plus, who knows if the trick will work on unused boarding passes.
For now, it's probably safe to say that something is amiss with Delta's online boarding passes. We've contacted the airline to find out more and will update this post when we hear back. (Delta appears to have sent Grant an automated response -- see below -- when she reported the issue to the airline.) In the meantime, don't go sharing your boarding pass URLs with everyone this holiday season. That's actually probably a good rule, no matter what.