Security Experts:

Airlines That Manage Booking Systems Themselves Expose Customer Data

Some of the airlines that manage booking systems themselves have failed to implement important protection mechanisms, exposing their customers’ personal information, a researcher has warned.

Many airlines allow customers to view and make changes to flight details using a unique identifier called the booking reference, or passenger name reference (PNR), and their last name.

The problem is that some airlines have not implemented mechanisms that would prevent someone from obtaining the PNR through a brute-force attack on their booking management system.

Ahmed El-fanagely, a penetration tester based in Egypt, says he has developed a tool that would allow an attacker to access a random individual’s flight information by using common last names and by brute-forcing the PNR. An attacker could also track a specific individual’s travels if they knew their last name and the airline they are using — assuming that the airline is affected by this vulnerability. Alternatively, the attacker could attempt to exploit the flaw against the booking systems of the airlines that are most likely to be used by the victim.

An attacker can use this method to gain access to various types of information, including name, contact information, ticket data, itinerary, passport number, date of birth and even payment information.

The researcher told SecurityWeek that the vulnerability impacts several major airlines in Europe and the Middle East. He has reached out to several of them, but they have all asked him not to name them in his blog post.

The affected companies appear to be using a booking management system from Amadeus, a Spain-based provider of global distribution systems (GDS) whose services are used by more than 200 airlines worldwide.

This is not the first time a researcher has disclosed security weaknesses in Amadeus products. In fact, earlier this year, experts warned that the Amadeus reservation systems used by hundreds of airlines exposed the details of millions of travelers due to an insecure direct object reference (IDOR) vulnerability and the lack of brute-force protections.

Amadeus has since made some improvements and implemented protections against brute-force attacks and other threats. However, these protections, which include anti-bot and anti-brute force mechanisms, are only available to airlines that allow Amadeus to manage the booking system for them. Airlines that choose to manage the booking system themselves and host it on their own infrastructure must implement the protection systems themselves, which many have apparently failed to do.

“The airline websites where the booking pages are affected by this vulnerability are NOT managed by Amadeus, they are either managed by the airlines themselves or by other non-Amadeus providers. Where Amadeus manage the booking pages for airlines there are protections in place against brute force attacks,” Amadeus told SecurityWeek.

The company explained, “The researcher confirmed that when the same test was run on an online booking website managed by Amadeus there were brute force protections in place to block the script, and that online booking website managed by Amadeus had protection against the vulnerability.”

Related: Check-in Links Sent by Several Airlines Expose Passenger Data

Related: Reservation Systems Used by Many Hotels Expose User Data

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.