Leak in parking company site at Schiphol facilitated theft of data and cars
A leak in the website of a parking company near Schiphol allowed a malicious person to easily view and print the reservation details of other customers. With this print, other people’s cars could be taken without any problems.
Thanks to a tip, the editors of television program Kassa found out that the reservation details of others could easily be viewed by changing the url on a reservation page. Apparently reservation numbers were in the web page addresses without any change. After changing the number, a copy of the reservation can be printed, with which a malicious person could pick up a stranger’s car without further ado. This was made possible in part by the fact that the company’s staff apparently failed to verify the customer’s identity when collecting the car.
Not only the car of a potential victim was at risk. All data involved in such a parking reservation could also be viewed when a malicious person changes URL. Checkout speaks of personal data, a description of the car and the time period of the customer’s absence. It may also be possible to view payment details, but the program does not talk about that.
The leak was present at the parking companies of Airport Parking Solutions. This appears to be a holding company and at least the VIP Parking company falls under it. Kassa has also put it to the test there. The program managed to take other people’s cars there three times. The security vulnerabilities have now been closed, the owner of the companies tells Kassa. The data is now only provided by e-mail. The employees were also instructed to actually check for identities, which was already mandatory but was not done.
In a response to Kassa, Schiphol Airport emphasizes that the companies are not affiliated with the airport and that it therefore bears no responsibility for its business operations. Moreover, Schiphol itself also offers such parking spaces for the longer term.