Update Aug 21, 00:02 PT: TripIt’s immediate steps have stopped travel details from being sent insecurely, leaving only identifiers exposed. TripIt has a very reasonable plan and timeline in place to completely fix this rather complex issue, and has told me they’ll be providing security contact information on their website to prevent situations like this from not getting a resolution.

TripIt is also working on an email encryption issue (lack of STARTTLS) brought up by security and privacy researcher Christopher Soghoian.

Thanks, TripIt! I continue to be a very happy TripIt Pro user, and I highly recommend them for frequent travelers needing some sanity. I’m confident these changes will be great.

//

Original post:

Although I love using TripIt to organize my travel, if you subscribe to a TripIt calendar feed using an application like OS X or iOS Calendar, details about your past and upcoming travel is sent plaintext, unencrypted out over the net:

Your name

Trip summaries (where you’re going and when)

Flight details (to and from airports, flight numbers, dates and times, and flight confirmation numbers)

Hotel reservations (hotel and address, confirmation numbers, and dates)

Train bookings (dates, train numbers, seat numbers, confirmation numbers)

Rental car details (company names, locations, dates, confirmation numbers)

Why is it so terrible to broadcast this information out on public wi-fi hotspots without any encryption?

TripIt is sending out your name and the dates and locations of where you’re going to be – prime opportunities for thieves to break into your home. And since an attacker sniffing your wi-fi traffic at a café now has your TripIt calendar feed URL, they can check in on your travel plans whenever they want (assuming you haven’t changed the URL or disabled the feed).

I’m more concerned about disruptions to travel, though – which can be financially and emotionally devastating. Most airlines require only a confirmation number to change or cancel flights – that’s probably why TripIt sends it out, for your convenience *sigh*. Hell, a few US airlines will change flights with a direct message conversation on Twitter, as long as you have that six-character confirmation number.

In fact, if you go to this airline website, it only asks you for your first name, last name, and confirmation number – all details that TripIt sends out unencrypted in their calendar feed, as demonstrated here:

So, what can you get from this airline, with only that information that TripIt broadcasts out?

Yeah, that’s right: if an attacker is listening to your network traffic while on a public wi-fi hotspot, they could easily get your full legal name, phone number, email address, frequent flyer number, last four digits of your credit card number (often used as a security token by itself), emergency contact information, and they can even change or cancel your flight.

The same could be said for your hotel, car rental, train booking, etc. The more information an attacker has, the more likely it is that they can cause damage or use social engineering techniques to get even more information about you.

“Hi, Residence Inn? My name is John Doe and my confirmation number is ABC123. My wife is in your lobby and doesn’t have her key…”

Again, all of this incredibly sensitive detail is sent every time a user refreshes their calendar feed – sometimes that’s manual, but usually it’s automatically refreshed every week, hour, or even every five minutes. Every five minutes over an open wi-fi network is just asking for trouble.

I don’t know if there is a way to securely implement calendar feeds, but TripIt makes no real attempts to let users know that their details are being sent insecurely, available to anyone with a network sniffer on an open wi-fi network. And since airports have open wi-fi networks, talk about a target-rich environment…

I’ll give TripIt a participation point for using SSL on the web, allowing users to change their calendar URL, and having an buried option labeled “Include detailed items in your calendar feed” — but nobody is going to know what that really means, and there’s still security concerns even if a potential attacker can’t get a confirmation number.

You can’t disable the calendar feed – but you can choose not to use it.