Travelers around the world were found exposed to a critical vulnerability discovered in an online flight booking system that allowed threat actors to access and modify sensitive information such as travel details and frequent flyer details.
According to an Israeli network security researcher Noam Rotem, he discovered this vulnerability during a flight booking process. The exploitation only required the victim's Passenger Name Record (PNR) number.
After a booking is made by the passenger, the passenger will receive a unique link container a PNR which would allow them to check on their booking status. Rotem discovered that changing a value on one of the parameters in the link to someone else's PNR number would display the booking information and personal details of the passenger with that number.
Rotem was also able to write a script to brute force PNR numbers and check for validity. This meant that he had the ability to have unauthorized access to passenger details and modification flight itinerary.
Thankfully, this was discovered by Rotem who is a researcher, not a threat actor. His actions were done in good cause, and potentially stopped a data breach from occurring. The issue has been fixed, and the exploit done by Rotem is no longer able to work.
Link to original post: https://www.safetydetective.com/blog/major-security-breach-discovered-affecting-nearly-half-of-all-airline-travelers-worldwide/