Security8.05.2024

FlySafair R10 ticket sale loophole

The FlySafair website had at least one vulnerability that could have allowed users to sidestep its waiting room page, which randomly selected users who could book domestic flight tickets for R10 each during its annual birthday sale.

The exploit was discovered and shared by MyBroadband reader Charl Kruger on the day of the sale — Wednesday, 8 May 2024.

Kruger successfully bypassed the birthday.flysafair.co.za waiting page using the Chrome browser’s developer tools and Incognito Mode, which prevents the collection of cookies.

He initially attempted to notify the airline about the issue via social media, but his posts were deleted despite not explaining the exact process.

Kruger enabled the network request blocking feature in the command console of Chrome’s developer tools while in Incognito Mode.

He identified two URLs, “assets.queue-it.net” and “hudsonyards.queue-it.net”, to block to avoid being redirected to the waiting page,

However, this only worked when opening the FlySafair website by clicking the “Manage My Booking” link in Google Search results for “FlySafair” in the same Chrome Incognito tab.

They were then directed to a spot on the website where they could click on the FlySafair Home page logo and go straight to the booking section.

Bypass easily replicated

While this process might sound highly complex to less technical readers, a MyBroadband staff member with very little formal IT training could replicate Kruger’s exploit by following instructions on Chrome’s FAQ pages.

However, the staff member also had to add the “birthday.flysafair.co.za” URL to the blocklist to prevent being redirected to the waiting page.

They confirmed they could see and add flights available for R10 to their basket.

However, they did not complete the process as they believed it would be unfair to those waiting in the queue for their turn.

The staff member took the screenshots below to share with FlySafair as proof of the exploit.

MyBroadband notified FlySafair about the exploit just after 15:00 on Wednesday to set up a coordinated disclosure once the issue was fixed or the special was over.

The airline’s chief marketing officer, Kirby Gordon, thanked MyBroadband for the information and assured it would attend to the issue as soon as possible.

MyBroadband’s subsequent attempts to bypass the waiting page two hours later were unsuccessful. At that stage, around 13,000 of the 50,000 tickets remained.

The previous years’ sales ended earlier in the day. That would suggest the exploit was not widely known, and many people were still in the waiting room.

Gordon followed up with MyBroadband at 17:20 and said the team was running final tests, but the issue appeared to be “tied up”.

He also said the exploit’s usage seemed minimal and that FlySafair would follow up with Kruger on Thursday to thank him for the report.

Kirby Gordon, chief marketing officer at FlySafair

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter