Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Data Protection

Airlines That Manage Booking Systems Themselves Expose Customer Data

Some of the airlines that manage booking systems themselves have failed to implement important protection mechanisms, exposing their customers’ personal information, a researcher has warned.

Some of the airlines that manage booking systems themselves have failed to implement important protection mechanisms, exposing their customers’ personal information, a researcher has warned.

Many airlines allow customers to view and make changes to flight details using a unique identifier called the booking reference, or passenger name reference (PNR), and their last name.

The problem is that some airlines have not implemented mechanisms that would prevent someone from obtaining the PNR through a brute-force attack on their booking management system.

Ahmed El-fanagely, a penetration tester based in Egypt, says he has developed a tool that would allow an attacker to access a random individual’s flight information by using common last names and by brute-forcing the PNR. An attacker could also track a specific individual’s travels if they knew their last name and the airline they are using — assuming that the airline is affected by this vulnerability. Alternatively, the attacker could attempt to exploit the flaw against the booking systems of the airlines that are most likely to be used by the victim.

An attacker can use this method to gain access to various types of information, including name, contact information, ticket data, itinerary, passport number, date of birth and even payment information.

The researcher told SecurityWeek that the vulnerability impacts several major airlines in Europe and the Middle East. He has reached out to several of them, but they have all asked him not to name them in his blog post.

The affected companies appear to be using a booking management system from Amadeus, a Spain-based provider of global distribution systems (GDS) whose services are used by more than 200 airlines worldwide.

This is not the first time a researcher has disclosed security weaknesses in Amadeus products. In fact, earlier this year, experts warned that the Amadeus reservation systems used by hundreds of airlines exposed the details of millions of travelers due to an insecure direct object reference (IDOR) vulnerability and the lack of brute-force protections.

Advertisement. Scroll to continue reading.

Amadeus has since made some improvements and implemented protections against brute-force attacks and other threats. However, these protections, which include anti-bot and anti-brute force mechanisms, are only available to airlines that allow Amadeus to manage the booking system for them. Airlines that choose to manage the booking system themselves and host it on their own infrastructure must implement the protection systems themselves, which many have apparently failed to do.

“The airline websites where the booking pages are affected by this vulnerability are NOT managed by Amadeus, they are either managed by the airlines themselves or by other non-Amadeus providers. Where Amadeus manage the booking pages for airlines there are protections in place against brute force attacks,” Amadeus told SecurityWeek.

The company explained, “The researcher confirmed that when the same test was run on an online booking website managed by Amadeus there were brute force protections in place to block the script, and that online booking website managed by Amadeus had protection against the vulnerability.”

Related: Check-in Links Sent by Several Airlines Expose Passenger Data

Related: Reservation Systems Used by Many Hotels Expose User Data

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Bill Dunnion has joined telecommunications giant Mitel as Chief Information Security Officer.

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.