Almost half of the fight travellers around the world were found exposed to a critical security vulnerability discovered in online flight ticket booking system that allowed remote hackers to access and modify their travel details and even claim their frequent flyer miles.
Israeli network security researcher Noam Rotem discovered the vulnerability when he booked a flight on the Israeli airline ELAL, successful exploitation of which just required victim’s PNR (Passenger Name Record) number.
The vulnerability resided in the widely used online flight booking system developed by Amadeus, which is currently being used by nearly 141 international airlines, including United Airlines, Lufthansa and Air Canada.
After booking a flight, the traveller receives a PNR number and a unique link that allows customers to check their booking status and related information associated with that PNR.
Rotem found that merely by changing the value of the “RULE_SOURCE_1_ID” parameter on that link to someone else’s PNR number would display personal and booking-related information from the account associated with that customer.
Using disclosed information, i.e. booking ID and last name of the customer, an attacker can simply access the victim’s account and make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service.
“Though the security breach requires knowledge of the PNR code, many airlines send these codes via unencrypted email, and many people even share them on Facebook or Instagram. But that’s just the tip of the iceberg,” the researcher said in his blog post.
Don’t have PNR numbers of your victims? Don’t worry.
Rotem also figured out that the Amadeus portal was not using any brute-force protection that eventually allowed attackers to attempt every alphanumeric uppercase complications using a script, as shown, to find all active PNR numbers of customers of any Amadeus-linked airline website.
“After running a small and non-threatening script to check for any brute-force protections, none of which were found, we were able to find PNRs of random customers, which included all of their personal information,” Rotem added.
Since the Amadeus booking system is being used by at least 141 airlines, the vulnerability could have affected hundreds of millions of travellers.
After discovering the vulnerability, Rotem immediately contacted ELAL to point out the threat and suggested the airline to introduce captchas, passwords and a bot protection mechanism in order to prevent brute-force attempts.
Amadeus has now fixed the issue, and the Rotem’s script can no longer identify active PNRs.
Upon contacting Amadeus, the company replied, “At Amadeus, we give security the highest priority and are constantly monitoring and updating our systems. Our technical teams took immediate action, and we can now confirm that the issue is solved.”
Amadeus also added that the company has also added a Recovery PTR to strengthen security further and “prevent a malicious user from accessing travellers’ personal information.”
While no one is safe when making purchases or bookings online, the mantra in the world of cybersecurity being “its not a case of “if” but “when”; one would have thought that a company with the level of profile that Amadeus has and the types of services it provides to the Airline Companies and the wider Travel Leisure Industry, its cybersecurity and data protection systems would have been held to a higher standard. What isn’t stated in the researcher’s report is how long this vulnerability might have been in existence and how many people have been affected worldwide. Let’s face it the Travel Industry is massive and worth trillions of dollars, with 1.8+ billion people travelling for business and/or leisure on an annual basis.
The convenience of using online booking systems is clear and well established, however, in light of this disclosure and similar direct hacks of airline companies in recent years, I also believe there is a place to consider using the services of Travel Management Companies to mitigate the risk of personal data being exposed to hackers.
Amadeus is a computer reservation system (or global distribution system, since it sells tickets for multiple airlines) owned by the Amadeus IT Group with headquarters in Madrid, Spain. The central database is located at Erding, Germany. The major development centres are located in Sophia Antipolis (France), Bangalore (India), London (UK), and Boston (United States). In addition to airlines, the CRS is also used to book train travel, cruises, car rental, ferry reservations, and hotel rooms. Amadeus also provides New Generation departure control systems to airlines. Amadeus IT Group is a transaction processor for the global travel and tourism industry. The company is structured around two key related areas—its global distribution system and its IT Solutions business area.
Amadeus is a member of IATA, OTA and SITA. Its IATA airline designator code is 1A.