Elias Castillo is an SLPowers Project Engineer. Like most engineers at SLPowers, he lives and breathes cybersecurity. Even in his downtime. Even when researching family vacations. And there are two theme parks that are very thankful he does.
We’ll let Elias tell the story…
Walt Disney World
Back in 2012, I bought yearly passes at Disney World for me and my family. I purchased those tickets online like so many other patrons. When I got to the very end of the transaction, they gave me the option to download my contract in PDF format, and who doesn’t like convenience? I clicked on the link to download the PDF document on my browser, and realized the contract numbers were serialized. My contract number was 1000013124.pdf. Being the naturally suspicious cybersecurity hawk that I am, I wondered if by altering the last digit of the contract in the link, could I access the last contract before mine. Sure enough, I was able to download contracts before and after my contract simply by altering the contract number.
While this vulnerability was not a complex one, it had the potential to be very damaging since their third party development company did not take the precautions to protect those files. They simply stored them on their web server without requiring proper authentication prior to allowing a user the access and ability to download those files.
I reached out to Disney World’s customer service department and after being bounced around from representative to representative, I managed to get the right person on the line with the authority and know-how to take action on my findings. Twenty-four hours later they had taken down the contracts folder.
As a show of gratitude, I was offered the courtesy of taking my family to Disney parks for a day after my annual passes expired which was nice. But mostly I was relieved that confidential information of other families was no longer at risk of being compromised.
Three years later, in July 2015, cybersecurity threats were on the rise. And I ran into one head first.
I purchased an annual pass to LEGOLAND online and was routed to the purchase confirmation page. Once again, by changing the confirmation number in the page URL, I was able to see other purchaser’s confirmation which included a lot of private, valuable information such as full names, addresses, number of children, and the last four digits of their credit card numbers.
I followed the same process – contacting Customer Service and jumping through a lot of hoops with different representatives – until I was put in contact with the Customer Experience Manager who was able to take it to their IT department in Europe and confirm the SQL injection vulnerability.
LEGOLAND offered me and my family a two-day stay at their resort which was very nice and certainly appreciated.
We are about to start planning this year’s family vacation. Let’s hope the next place we go has a tighter grip on their data security. Don’t get me wrong, the freebies are great. But there are way too many cybercriminals looking for their own “freebies.” I’d hate to think they’d find it in the form of identity theft of a hard-working individual just trying to take their family on a nice vacation.