A vulnerability discovered in a reservation system used by hundreds of airlines around the world could expose the details of millions of their customers, researchers warned this week.
Researcher Noam Rotem and Safety Detective discovered the flaw after booking a flight with El Al, the flag carrier of Israel. They noticed that a link sent to customers when booking a flight contained a parameter whose value could be modified to access other people’s flights – this is known as an insecure direct object reference (IDOR) vulnerability.
An attacker can exploit this vulnerability to obtain passenger name records (PNRs), names, and details on associated flights. A PNR is a record stored by global distribution systems (GDS) and it can include names, contact information, ticket data, itinerary, passport numbers, dates of birth and even payment information. PNRs are at the root of many security weaknesses involving GDS.
While Rotem and Safety Detective found the flaw in El Al services, they soon discovered that the issue actually affected the reservation system provided by Spain-based GDS provider Amadeus, whose services are used by more than 200 airlines, including American Airlines, United Airlines, Air France, Singapore Airlines, Qantas, Lufthansa, and British Airways.
Someone who is in possession of a passenger’s PNR and name can access an airline’s customer portal and make changes to flight options (e.g. seats and meals), claim frequent flyer miles, and update the phone number and email address, which can then be leveraged to cancel or change a reservation via customer support services.
PNR codes can often be obtained from social media websites, where unknowing individuals post pictures of their boarding pass. However, researchers also discovered that the lack of brute-force protections on the Amadeus system allows an attacker to obtain the PNRs of random individuals through a brute-force attack.
Rotem and Safety Detective believe nearly half of all airlines worldwide may be affected.
They notified Amadeus of their findings and the company rolled out a patch, according to a blog post published on Tuesday. However, The Register has reported that the fix is incomplete and the vulnerability can still be exploited.
SecurityWeek has reached out to Safety Detective for confirmation on the incomplete patch, but we have yet to hear back.
Related: Travel Booking Systems Expose User Data
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
Latest News
- OpenSSL Ships Patch for High-Severity Flaws
- Software Supply Chain Security Firm Lineaje Raises $7 Million
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Vulnerability Provided Access to Toyota Supplier Management Network
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- Linux Variant of Cl0p Ransomware Emerges
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
