A significant security flaw has been identified in online flight ticket booking systems, compromising the personal travel details of nearly half of global flight travelers. This vulnerability, which allows unauthorized remote access and modifications to booking information, raises serious concerns about the safety protocols involved in such systems.
The discovery came from Noam Rotem, an Israeli cybersecurity researcher, who reported the vulnerability while booking a flight on ELAL, an Israeli airline. The issue rests within the widely adopted booking platform developed by Amadeus, utilized by approximately 141 global airlines including major carriers like United Airlines, Lufthansa, and Air Canada.
Upon booking a flight, travelers receive a unique link associated with their Passenger Name Record (PNR) number. Rotem discovered that by merely adjusting a parameter in the URL to another person’s PNR, he could access sensitive booking details associated with that PNR. The exposure of this information could potentially allow an attacker to take over the victim’s account on the ELAL customer portal.
Utilizing the information gained, such as booking IDs and passenger names, an attacker could manipulate bookings by altering flight details or claiming frequent flyer miles, effectively posing as the victim. Notably, PNR codes are often transmitted in unencrypted formats, heightening the risk as many travelers post these codes publicly on social media platforms.
In addition, Rotem revealed that the Amadeus system lacked brute-force protection across its portal, which would have otherwise thwarted attempts to guess active PNR numbers systematically. By executing a relatively benign script to test this vulnerability, Rotem was able to retrieve personal information tied to multiple customers, further illustrating the extent of the exposure.
Given that the Amadeus booking system services over 141 airlines, it is estimated that the vulnerability might have impacted hundreds of millions of passengers worldwide. Following the discovery, Rotem reached out to ELAL, urging the addition of security features like CAPTCHAs and enhanced password protocols to prevent unauthorized access.
In response to this alarming vulnerability, Amadeus has taken swift action to remediate the issue. They reported the implementation of additional security measures and confirmed that the vulnerabilities have since been addressed, ensuring that Rotem’s script can no longer retrieve active PNRs.
Amadeus maintains that security is their utmost priority, continually updating their systems to safeguard against potential threats. They have also indicated the introduction of a Recovery PIN to further enhance security and restrict unauthorized access to traveler information.
The risk posed by inadequate security measures in online booking systems necessitates vigilant cybersecurity practices among businesses handling personal information. The incident serves as a stern reminder of the importance of implementing robust security frameworks as outlined by the MITRE ATT&CK framework, particularly regarding tactics such as initial access and privilege escalation, to protect organizational and consumer data.
For further insights on this significant cybersecurity issue, please follow our updates on platforms such as Google News, Twitter, and LinkedIn.