Your Personal Data Was Potentially Exposed by a Flaw in 140+ Airlines’ Software

Most travelers know not to share un-masked photos their boarding passes online. By scanning the barcode or just reading the name and reservation number off the boarding pass, anyone can access your personal data and may be able to change or cancel your flight. However, until last week, hackers didn’t need your boarding pass to get your data or wreak havoc on your reservation if it was booked through one of more than 140 airlines.

While the average flyer probably has not heard of Amadeus or Sabre, most airlines across the world use one of these two major reservation systems. And Israeli hacker Noam Rotem — working with Safety Detective — discovered a major flaw in Amadeus that left a backdoor open for hackers to easily access passengers’ data, including birthday, address, email, phone number and access to frequent flyer accounts.

Chances are you’ve booked a flight through one of the airlines that uses the Amadeus reservation system. These airlines include: Air Canada, Air France, ANA, Asiana, Austrian, British Airways, Brussels Airlines, Cathay Pacific, El Al, EVA Airways, Finnair, Iberia, Icelandair, KLM, Korean Airways, Lufthansa, Malaysian Airlines, OpenSkies, Qantas, SAS, Singapore Airlines, SWISS, TAP Portugal, Thai Airways and many more.

Even without this flaw, it doesn’t take much to access an airline reservation. Typically, all you need is the last name of the passenger and the Personal Name Record (PNR) for the reservation. However, using El Al’s reservation system, researchers found that they could simply tweak a URL to pull up any Amadeus reservation using just the six-digit Personal Name Record (PNR). The passenger’s last name wasn’t required.

Even worse, the researchers found that there was no limitation in place to keep them from randomly generating numbers and pinging the Amadeus system to check if there was an active reservation using that PNR. While there are around two million possible six-digit alphanumeric combinations, the researchers were able to go through possibilities with decent speed:

Through this process they were able to retrieve an undisclosed number of active reservations. And once they found a match, the researchers report:

“We were able to log into El Al’s customer portal and make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service.”

Being “white-hat hackers,” the researches shared their discovery with Amadeus — along with suggestions to add reservation passwords, captcha and other “bot protection mechanisms” to keep this from being possible in the future.

Amadeus responded to Safety Detective that it “took immediate action” to fix the issue and “can now confirm that the issue is solved.”

“To further strengthen security, we have added a Recovery PTR to prevent a malicious user from accessing travelers’ personal information, the company’s statement continued. “We regret any inconvenience this situation might have caused.”

As this wasn’t a traditional hack — like Marriott, Cathay Pacific, Equifax and more — its unclear how many passengers’ data may have been exposed through this simple reservation access method. Amadeus says it hasn’t detected a data breach.

“We became alerted to an issue in one of our products and our technical teams took immediate action and as of January 16 the issue was fixed,” Amadeus said in a statement to TPG. “We can confirm that Amadeus has not detected any data breach and that no data from travelers was disclosed. We regret any disruption this situation may have caused.”

However, it seems it would be tough for Amadeus to be sure that “no data from travelers was disclosed.” It’s possible that Amadeus could see from its logs whether another brute-force attack — similar to the one that the researchers used — had been employed. However, this reservation access method is identical to how El Al passengers would access their reservations when clicking through a confirmation email. Indeed, that’s how the hacker discovered this access method. So, at the very least, it would likely be difficult to say for sure that bad actors didn’t utilize this reservation access method on a smaller scale.

Looking forward, there clearly needs to be a better way to secure flight reservation data than the archaic procedure that simply requires a PNR and the traveler’s last name. In its statement, Amadeus emphasizes that it realizes this and is working “together with our customers and partners in the industry to address PNR security overall.”

“The airline industry relies on IATA standards that were introduced to improve efficiency and customer service on a global scale,” the company said. “Because the industry works on common industry standards, including the PNR, further improvements should include reviewing and changing some of the industry standards themselves, which will require industry collaboration.”

Speaking of the International Air Transportation Association (IATA), the standard-setting industry group finally released a statement on Wednesday — almost a week after the disclosure about the backdoor. The statement pledges that “IATA is committed to working with industry stakeholders to ensure passenger information remains secure.”

The Department of Transportation and Federal Aviation Administration were unable to be reached for comment due to the partial government shutdown.