Spying on People Through Airportr Luggage Delivery Service

Airportr is a service that allows passengers to have their luggage picked up, checked, and delivered to their destinations. As you might expect, it’s used by wealthy or important people. So if the company’s website is insecure, you’d be able to spy on lots of wealthy or important people. And maybe even steal their luggage.

Researchers at the firm CyberX9 found that simple bugs in Airportr’s website allowed them to access virtually all of those users’ personal information, including travel plans, or even gain administrator privileges that would have allowed a hacker to redirect or steal luggage in transit. Among even the small sample of user data that the researchers reviewed and shared with WIRED they found what appear to be the personal information and travel records of multiple government officials and diplomats from the UK, Switzerland, and the US.

“Anyone would have been able to gain or might have gained absolute super-admin access to all the operations and data of this company,” says Himanshu Pathak, CyberX9’s founder and CEO. “The vulnerabilities resulted in complete confidential private information exposure of all airline customers in all countries who used the service of this company, including full control over all the bookings and baggage. Because once you are the super-admin of their most sensitive systems, you have have [sic] the ability to do anything.”

Tags: , ,

Posted on August 1, 2025 at 7:07 AM5 Comments

Comments

Clive Robinson August 1, 2025 10:07 AM

@ Bruce, ALL,

With regards,

“So if the company’s website is insecure, you’d be able to spy on lots of wealthy or important people.”

Watching the MSM and trade press, they nolonger appear to cover this sort of story…

Because they are now so numerous they are at most “background noise”.

They need it to be spiced up somewhat such as being the route cause of a kidnapping or worse. With graphical blood, guts, and other body parts strewn around.

However I’m hopeful that,

“lots of wealthy or important people”

Might take notice and an interest thus put pressure on those who’s hands get greased by lobbyists.

Such as new regulation or legislation appears.

TimH August 1, 2025 10:45 AM

This will continue.

There’s no penalty for the companies’ execs for the most egregious breaches.

After all, they take security very seriously.

Snarki, child of Loki August 1, 2025 10:49 AM

So: redirect luggage of “powerful people”;
insert drugs, dismembered corpse parts, apple airtag;
include blackmail note: Authorities will be knocking on your door in 15 minutes unless…

Hilarity ensues.

not important August 1, 2025 5:44 PM

@Clive said ‘Might take notice and an interest thus put pressure on those who’s hands get greased by lobbyists. Such as new regulation or legislation appears.’

I wish. All legislators are working in reactive with real trigger is their personal negative experience related to security issues and/or privacy violation.

Hackersprey August 7, 2025 2:53 AM

That’s a serious cybersecurity red flag.
Any third-party service—especially one handling sensitive logistics like Airportr—can become a goldmine for attackers if not secured properly. Insecure web infrastructure can expose real-time travel data of high-value individuals, opening doors for surveillance, social engineering, or even physical theft.

This is why 3rd-party and supply chain vulnerabilities are a critical topic in our cybersecurity training at Hackersprey. Awareness and proactive testing are the only ways to reduce these risks.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.