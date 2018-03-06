Before you book your tickets to Puerto Rico for spring break, you should consider an illuminating–and frightening–cautionary tale from software engineer and data security expert Konark Modi .

Like many of us, Modi was simply booking some plane tickets for his family on the Emirates website when he noticed a few things that his inner internet privacy advocate found alarming. Specifically, “when you book your flight through Emirates, Domestic or International, there are approximately 300 data points related to your booking,” he writes in a March 2 Medium post. This data is compiled for the customer on a personalized “Manage Preferences” page that they receive in an email once they book a flight.

Yet Modi found that the URL of that page–and the data points it contained–were also being shared with “approximately 14 different third-party trackers like Crazy egg, Boxever, Coremetrics, Google, and Facebook among others.”

At first blush, this sort of behavior is a sad and obnoxious reality that those of us on the web deal with every day: personal data shared with third-party trackers. But what made matters worse: the URL included in Modi’s email used the HTTP protocol—that is, it began with “http://”—which is notoriously insecure compared with HTTPS, and can make supposedly “private” webpages accessible to hackers and other adversaries.

As Modi points out, this isn’t just obnoxious: it’s downright dangerous. “Anyone who has access to these links can not only read but also edit the information that I as a user can,” he writes. That includes changing or canceling the flight, checking out your passport information, changing your seat or meal preference and more.

Modi, who notes that there is no evidence that any of this data has been abused, shared his findings with the airline in October 2017, both through a Twitter DM conversation with the company’s social media team, and through an email to the app’s product manager, but was met, he says, “with a deafening silence.”

The Emirates’ web app has been improved somewhat since he first discovered this flaw, according to Modi, but as of Friday the mobile app still reveals what should be private data.