Booking system of 141 Airlines goes awry worldwide
There has been a critical vulnerability found in the online flight booking system, which resulted in almost half of the flight travellers around the world finding themselves exposed to a critical security vulnerability, that allowed remote hackers to access and modify their travel details and even claim their frequent flyer miles.
An Israeli network security researcher Noam Rotem discovered the vulnerability when he booked a flight on the Israeli airline ELAL, a successful exploitation of which just required victim’s PNR (Passenger Name Record) number. After booking a flight with ELAL, the traveler received a PNR number and a unique link that allows customers to check their booking status and related information associated with that PNR.
Rotem found that merely by changing the value of the "RULE_SOURCE_1_ID" parameter on that link to someone else's PNR number would display personal and booking-related information from the account associated with that customer.
Using disclosed information, i.e. booking ID and last name of the customer, an attacker can simply access the victim's account on ELAL's customer portal and "make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer's email and phone number, which could then be used to cancel/change flight reservation via customer service." The report says, the vulnerability could have affected hundreds of millions of travelers.
Amadeus has been able to fix the issue, and the Rotem's script can no longer identify active PNRs as demonstrated.
In a statement Amadeus says, "At Amadeus, we give security the highest priority and are constantly monitoring and updating our systems. Our technical teams took immediate action, and we can now confirm that the issue is solved."
Hackers are really smart enough to enter into the flight booking system, which is developed by Amadeus, and is widely used by nearly 141 international airlines, including United Airlines, Lufthansa and Air Canada.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.