back to article Ryanair disses booking system security fears

Budget airline Ryanair has reacted with indignation to suggestions that its booking system ought to be more secure. While most airlines only allow modifications to bookings once a passenger has verified themselves using a password and booking reference, Ryanair adopts a lower standard. German newspaper Der Tagesspiegel found …


This topic is closed for new posts.
  1. Ants 2

    I don't know why they are complaining...

    It's a golden opportunity for them.

    1) Provide username/password to user at time of booking

    2) If they didn't print it off at the time, charge them £40 for a reminder

    Or something along those lines. Whatever needs to be changed, Ryanair will work out a way to milk a profie from it.

  2. Wommit

    Why should

    RyanAir care more about the security of the self loading cargos personal details than they do about the comfort and convenience of the cargo itself?

  3. Anonymous Coward

    You pay peanuts? You get monkeys.

    Ryanair: By cheapskates. For cheapskates.

    (Downvote all you want. It won't help you get your money back :0) )

  4. Tron Silver badge

    No sympathy.

    Anyone who supports the revenue stream of ChavAir deserves all they get.

    1. Yann BZH
      Thumb Down

      Some of us just don't have a choice

      There's simply no competition on some routes, thus making ryanAir almost compulsory.

      That doesn't make us, its users, cheapscapes, or less deserving of good, friendly customer services and travelling in relative comfort and stress free environment, none of which is applicable to travelling with ryanAir at the moment.

      Being characteristically arrogant is surely more important.

      1. This post has been deleted by its author

    2. Piro Silver badge


      Ah yes, I'd love you to tell me all the other ways I could fly to Jutland. RyanAir is more often than not, not only the cheapest, but the only way.

      1. Anonymous Coward


        "...more often than not..." ? So you do have a choice then.

        As ever, it depends where your flying from. But KLM, British Airways, Lufthansa, Sun Air et al. can all get you to Billund.

        (You're welcome)

        If the drive to an alternative airport (Vs. having secure flight/booking details(?)) bothers you, then I refer you to previous cheapskate/ChavAir comments above.

        Good day to you Sir.

  5. wl_deav

    Problem with this

    There is a problem with the attack described in this article. It assumes that there is no lockout after X invalid login attempts. Such a system would be almost too easy to implement.

    1. Anonymous Coward
      Anonymous Coward


      All a hacker would need is access to a botnet, then no lock out!

      1. wl_deav

        Lock out

        Could be based on email address. After 5 invalid login attempts from an email address account is locked. Simples.

        1. The Commenter formally known as Matt


          Yep then when the original customer wanted to access their details they would just have to ... oh.

  6. Steve Davies 3 Silver badge
    Thumb Up

    A case of speaking too soon then


    There's no evidence that miscreants have subverted Ryanair's booking system


    Now that the exploit is wekk known thans to EL Reg then I'd expect that jhonny crim will be up to no good very soon.

    Kudos to El Reg. Ryan-I-will-get-round-to-charging-you-for-the-air-that-you-breath-Air are by a long way the worst airline I've ever had the misfortune to fly with. It takes a lot to beat some of the ex-Areoflot routes I flew in the early 1990's.

  7. Robin

    The Ultimate Tweak

    "Ryanair would do well to consider making tweaks to its website."

    Like taking it off the internet forever, along with its late-90s style flashing ads for hotels and car hire.

  8. andy 103

    Just been to their website - never visited it before - hello 1999! If that's any sign of how competent their web developer(s) are then this really doesn't come as a surprise.

    1. Ken 16 Silver badge
      Black Helicopters

      It's an excellent site

      for what it (probably) cost...

      Black Helicopter because Rendition is the only way to fly with less frills than Ryanair

  9. Anonymous Coward
    Anonymous Coward

    Ryanair won't give a damn about this

    If your booking is modified they will assume it was your fault for giving out your account details. If it is then possible to change the booking back they will charge you a re-booking fee. If your booking is not modified then no harm no foul. Either way it is better for their bottom line - they make more out of the punters or they save money on hiring web developers.

    In reality no-one actually chooses to fly with Ryanair. people who use Ryanair either do so because there is no-one else flying from their local airport to their chosen destination or because they are unable / unwilling to pay the extra money other airlines charge. Ryanair have already lost all the customers it is possible for them to lose so why should they bother about this?

    1. Loyal Commenter Silver badge


      The sooner Aer Lingus start doing off-peak flights between my local airport and Dublin, the better.

  10. Dr Wadd

    Better than National Geographic

    The National Geographic website only needs your subscription number in order to access your account settings. This would be the account number that is printed on the shipping label of every issue I receive. Granted, the scope for mischief is somewhat smaller, but it would appear that you can do things like change the delivery address this way.

    I contacted their customer support to express my concerns only to receive a rather generic response that they would take the comments in to consideration. In comparison Ryanair's security methods seem positively robust.

  11. despairing citizen

    Thank You Ryanair!

    I look forward to you contributions to the UK tax payer via the £500k ICO fines, every time you loose personal data through management stupity.


    the current statements from the ICO basically go along the lines of if you do not take basic precautions, then don't be surprised if you get the book thrown at you when the screw up occurs.


    I'm only unhappy that the government chickened out and didn't give the ICO the same data breach fining capabilities as the FSA.

    1. Anonymous Coward
      Anonymous Coward

      The title is required, and must contain letters and/or digits.

      The ICO are useless when it comes to data protection. Just look at the way BT sent their customer details to ACS:Law in an unecrypted and unsecure format despite a court order and the ICO's complete lack of action as a result.

      Thinking that the ICO will actually do their job is pointless since they've already refused on multiple occasions now to do it. It's just a pity that it's not one of those quangos on Cameron's hit list.

  12. Pete 2 Silver badge

    possible != probable

    So there's a possibility (Q: has it ever, actually happened) that a bad person could change the details of a fliers booking, or cancel it. So, apart from doing mischeif what the hell would be the point? There's no possibility the bad person could make a financial gain for themselves from this - which therefore rules out 99.9 ... percent of the motivation for doing bad things to other people via the internet.

    At best the miscreant would cause an unknown amount of inconvenience to a person they've never met. [If the target was someone they knew, they would surely have more direct ways of annoying them and could use their knowledge of that person to much greater effect].

    So, yes. In theory this sort of activity may be possible. In practice the reasons for doing so would be so slight that an argument could be put that the person doing it had a mental health problem. In the real world it would be interesting to hear if there were any stories of this happening - either proven or even hearsay, to let us quantify the actual size of the problem.

    1. andy 103

      you're missing the point

      The point is that to stop it happening at all is so simple that whether or not it will/has happened is irrelevant.

    2. Frank Bitterlich
      Paris Hilton

      Reasons for doing so...?

      You're right, that's ridiculous. Why would anybody want to do that? That's almost as silly as sending out billions of email messages advertising for Viagra or online poker sites. What's the point? Nobody would do that.

      Still, I'll bet that it will happen in less than two weeks.

      Paris, for obvious reasons. Beauvais, though, not Charles de Gaulle.

    3. Anonymous Coward
      Anonymous Coward

      The title is required, and must contain letters and/or digits.

      Mas cancellations would be one thing competitors might be interested in doing, or perhaps even unhappy employees that think their own company is taking the piss might try. Think BA and BASSA for example, or BA and Virgin (if memory serves BA were found guilty in a court of law of persuing a dirty tricks campaign against Virgin some years ago - poaching Virgin customers was apparently one of the tricks used). Make the mechanism for viewing a booking too simple and this sort of tactic becomes possible. After all, with Ryanair if all that's needed is the email address then a bot could go through and try different values until one or more is accepted.

      It could cause quite a few financial problems for the company concerned if they suddenly faced a large number of mysterious cancellations and had to pay back all the money associated with those trips. There's also the damage to the reputation of the company to take into account when they have to face the customers that didn't know this had happened (and for all we know could turn up at the terminal thinking they still had a flight to catch).

  13. Anonymous Coward
    Anonymous Coward

    British Airways are almost as bad

    They just send out an email with a hyperlink to the booking. Anybody who has been forwarded that email for whatever reason can change the booking. If anybody else manages to access the message then they can make changes too. The web page itself once you go to it is not protected in any way beyond the security-by-obscurity of having to know the exact URL. Once you're in, you're in and can make pretty much whatever changes you want to.

  14. Jeremy 2

    It's not just RyanAir

    A lot of airlines have 'login' systems for flight modifications that those of us with an understanding of how it should be done would turn our noses up at. Normally all you need is the record locator and perhaps the passenger surname which admittedly isn't as poor as the email/date/origin example in the article but it isn't exactly what you'd consider a strong password either - they're typically 6 character alpha-numeric codes.

    Last year, my mother flew BA to visit me. To make sure I had the right flight numbers, arrival times, etc, she forwarded the itinerary email which contained a direct link to edit her booking (no login required) and do anything from the silly like order a special meal to the serious like cancellation, modifications and entering passport numbers, etc. You'd think that the airline would be smart enough to separate the itinerary (which they must realise some people are going to forward) and the account/e-ticket information into separate emails.

    You'd think in this day and age (and I mean of computer security not 'terr-ists') that they'd have a clue about how to write a login system but I guess not?

  15. rpjs

    Uh, BA

    British Airways only require the booking ref and passenger's surname to access a booking. OK, I don't think you can add any paid-for items without having to pay for them there and then but still, seems a bit double standards to me, even though like all sane people I too detest Ryanair.

  16. BenB

    Ryanair charge for changes

    This isn't really too much of an issue as Ryanair require you to enter card details to make any changes to the booking (even cancelling or name changes). And it doesn't get automatically charged to the card used.

    Worst someone can do (for free) is checkin for your flight for you with incorrect passport details (still against your name). (Which to be honest I doubt are checked properly by ryanair anyway).

    Seems a hell of a lot to go through just to cause someone a minor bit of hassle?

  17. Sam Liddicott

    and for the flight plan

    Would Ryan air be happy to have the same sort of security on the system where they submit their flight plan?

  18. JaitcH

    Lost your res info? No problem, just contact ...

    U.S. Homeland Security as they get everything about you and your flight including e-mail address(es), credit card numbers, passport number and DOB, meal preferences, seat assignment info, frequent flyer card numbers, home address and telephone number, cell number (if used anywhere in flight process), etc.

    They draw down credit bureau info, too. Hotel reservations, other transportation details booked through any res system is also fully accessible to them.

  19. Anonymous Coward

    Denial = FAIL

    How long until Ryanair is hacked by some script kiddy?

  20. Anonymous Coward

    The title is required, and must contain letters and/or digits.

    Why is anything to do with Ryanair even news any more? Surely anybody stupid enough to use this company should know by now exactly what to expect?


    Now THAT would be news.

  21. syklops


    What the flup is with all the ryanair hostility? Before they came along, Aer Lingus and BA had no qualms what so ever, charging a 700 GBP to fly all the way from Dublin to London. Now you can fly between the 2 cities on a range of airlines for less than the price of a good night out. Thank you Ryanair for doing that.

    I flew home last week with Aer Lingus and spent the week before worrying if they would be on strike the day I flew out and spent half my holiday worrying whether they would still be on strike when it was time to fly back.

    Ryanair bashing has become the new 'cool by keyboard warriors, but at the end of the day, it just makes the poster come off like a wanker.

    As has been pointed out, any changes to the booking require the person to enter the credit card details, which means all the attacker actually gains is the time and flight number the person is flying on, hardly the hack of the century.

This topic is closed for new posts.