Some of the airlines that manage booking systems themselves have failed to implement important protection mechanisms, exposing their customers’ personal information, a researcher has warned.
Many airlines allow customers to view and make changes to flight details using a unique identifier called the booking reference, or passenger name reference (PNR), and their last name.
The problem is that some airlines have not implemented mechanisms that would prevent someone from obtaining the PNR through a brute-force attack on their booking management system.
Ahmed El-fanagely, a penetration tester based in Egypt, says he has developed a tool that would allow an attacker to access a random individual’s flight information by using common last names and by brute-forcing the PNR. An attacker could also track a specific individual’s travels if they knew their last name and the airline they are using — assuming that the airline is affected by this vulnerability. Alternatively, the attacker could attempt to exploit the flaw against the booking systems of the airlines that are most likely to be used by the victim.
An attacker can use this method to gain access to various types of information, including name, contact information, ticket data, itinerary, passport number, date of birth and even payment information.
The researcher told SecurityWeek that the vulnerability impacts several major airlines in Europe and the Middle East. He has reached out to several of them, but they have all asked him not to name them in his blog post.
The affected companies appear to be using a booking management system from Amadeus, a Spain-based provider of global distribution systems (GDS) whose services are used by more than 200 airlines worldwide.
This is ..
Support the originator by clicking the read the rest link below.
