If you’ve been dreaming about tanning on Miami Beach versus visiting your family in Minneapolis this holiday, a security flaw involving Delta Airlines’ electronic boarding pass system might just make that a reality. Dani Grant, a product intern at BuzzFeed and founder of Hackers of NY, realized she could share the URL to her boarding pass for anyone to download. Then, by changing a digit in the URL, someone else’s boarding pass (even on another airline) popped right up.
But, this doesn’t mean you can look forward to traveling somewhere you weren’t supposed to (unlike buying a movie ticket for one film and walking into another). You’d need to have a legitimate boarding pass in your own name to get past the TSA. Then if you successfully obtained someone else’s boarding pass, it’d have to originate from the same airport you’re at. In other words, if you’re holding a boarding pass from New York to Minneapolis, that Atlanta to Barcelona ticket won’t do much good.
The TSA’s press secretary Ross Feinstein said in a statement that “Travel document checking is just one layer of TSA’s defense for aviation security. Officers are trained to detect and potentially deter individuals who may attempt to board an aircraft with fraudulent documents.” Basically, if you happened to try to board an aircraft as someone else, it’s a crime. So there’s that.
We’ve reached out to Delta for comment and will update when (and if) they respond.
Update: Delta spokesperson Paul Skrbec said in a statement to TIME Magazine on Tuesday afternoon: “After a possible issue with our mobile boarding passes was discovered late Monday, our IT teams quickly put a solution in place this morning to prevent it from occurring,” adding that the airline is still investigating the problem but isn’t aware of any compromised customer accounts.