Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Flaw in Reservation System Impacts Many Airlines

A vulnerability discovered in a reservation system used by hundreds of airlines around the world could expose the details of millions of their customers, researchers warned this week.

A vulnerability discovered in a reservation system used by hundreds of airlines around the world could expose the details of millions of their customers, researchers warned this week.

Researcher Noam Rotem and Safety Detective discovered the flaw after booking a flight with El Al, the flag carrier of Israel. They noticed that a link sent to customers when booking a flight contained a parameter whose value could be modified to access other people’s flights – this is known as an insecure direct object reference (IDOR) vulnerability.

An attacker can exploit this vulnerability to obtain passenger name records (PNRs), names, and details on associated flights. A PNR is a record stored by global distribution systems (GDS) and it can include names, contact information, ticket data, itinerary, passport numbers, dates of birth and even payment information. PNRs are at the root of many security weaknesses involving GDS.

While Rotem and Safety Detective found the flaw in El Al services, they soon discovered that the issue actually affected the reservation system provided by Spain-based GDS provider Amadeus, whose services are used by more than 200 airlines, including American Airlines, United Airlines, Air France, Singapore Airlines, Qantas, Lufthansa, and British Airways.

Someone who is in possession of a passenger’s PNR and name can access an airline’s customer portal and make changes to flight options (e.g. seats and meals), claim frequent flyer miles, and update the phone number and email address, which can then be leveraged to cancel or change a reservation via customer support services.

PNR codes can often be obtained from social media websites, where unknowing individuals post pictures of their boarding pass. However, researchers also discovered that the lack of brute-force protections on the Amadeus system allows an attacker to obtain the PNRs of random individuals through a brute-force attack.

Rotem and Safety Detective believe nearly half of all airlines worldwide may be affected.

They notified Amadeus of their findings and the company rolled out a patch, according to a blog post published on Tuesday. However, The Register has reported that the fix is incomplete and the vulnerability can still be exploited.

SecurityWeek has reached out to Safety Detective for confirmation on the incomplete patch, but we have yet to hear back.

Related: Travel Booking Systems Expose User Data

Related: Pentagon Reveals Cyber Breach of Travel Records

Related: Travel Tech Giant Sabre Investigating Data Breach

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...