[drdaeman]

So did the message to the support, screenshotted in the article.

And it's not just "any party sitting at a cafe". It specifically requires that this malicious party is sitting in the same cafe, present (physically or remotely) at the moment the site is accessed. So it's more likely to be an airport's WiFi network - which is much more probably place where an unsuspecting traveler may access such page. Hunting for a cafe with someone buying tickets from a specific airline is probably too complicated to pay off, unless the attack is personal.

Anyway, I don't argue this is all very bad. It is. What I want to say is that the problem was communicated in a very poor way. And even this follow-up blog article is so light on details, a person without some security knowledge would quite likely shrug it off with an impression it's some tinfoil-hatter screaming at analytics trackers.