Vulnerabilities persist in airline reservations systems despite repeated warnings


A vulnerability in Amadeus, the customer reservation system used by 144 of the world's airlines, was only superficially patched after a team reported the vulnerability in 2018. As a result, an attacker could alter online strangers' Passenger Name Records, which contain all the details of the passengers and flights, and are used by government security agencies to check against the no-fly list. Bug hunter Noam Rotem discovered that a web script hosted by individual airlines accepts passengers' six-character references as part of the URL and returns a page with the passenger's name on it if the reference is valid. The working reference number and passenger's last name is enough to log into the airline's online portal to view and change the flight reservation, seat assignments, contact details, and redirect frequent flyer points to another account. The script is also open to bots, which can run through booking references by brute force. Amadeus and its two largest competitors, Sabre and Travelport, administer more than 90% of flight reservations as well as many hotel, car, and other travel bookings. The vulnerabilities in their systems were pointed out in 2017 by Germany-based Security Research Labs - and at least 15 years ago by travel data privacy expert Edward Hasbrouck.

Writer: Shaun Nichols; Eric Auchard; Wendy M. Grossman
Publication: The Register; Reuters; Infosecurity Magazine
Publication date: 2019-01-15; 2016-12-27; 2009-06-26

Related learning resources