A vulnerability discovered in a reservation system used by hundreds of airlines around the world could expose the details of millions of their customers, researchers warned this week.
Researcher Noam Rotem and Safety Detective discovered the flaw after booking a flight with El Al, the flag carrier of Israel. They noticed that a link sent to customers when booking a flight contained a parameter whose value could be modified to access other people’s flights – this is known as an insecure direct object reference (IDOR) vulnerability.
An attacker can exploit this vulnerability to obtain passenger name records (PNRs), names, and details on associated flights. A PNR is a record stored by global distribution systems (GDS) and it can include names, contact information, ticket data, itinerary, passport numbers, dates of birth and even payment information. PNRs are at the root of many security weaknesses involving GDS.
While Rotem and Safety Detective found the flaw in El Al services, they soon discovered that the issue actually affected the reservation system provided by Spain-based GDS provider Amadeus, whose services are used by more than 200 airlines, including American Airlines, United Airlines, Air France, Singapore Airlines, Qantas, Lufthansa, and British Airways.
Someone who is in possession of a passenger’s PNR and name can access an airline’s customer portal and make changes to flight options (e.g. seats and meals), claim frequent flyer miles, and update the phone number and email address, which can then be leveraged to cancel or change a reservation via customer support services.
PNR codes can often be obtained from social media websites, where unknowing individuals post pictures of their boarding pass. However, researchers also discovered that the lack of brute-force protections on the Amadeus system allows an attacker to obtain the PNRs of random individuals through a brute-force attack.
Rotem and Safety Detective believe nearly half of all airlines worldwide may be affected.
They notified Amadeus of their findings and the company rolled out a patch, according to a blog post published on Tuesday. However, The Register has reported that the fix is incomplete and the vulnerability can still be exploited.
SecurityWeek has reached out to Safety Detective for confirmation on the incomplete patch, but we have yet to hear back.
Related: Travel Booking Systems Expose User Data