A recently discovered vulnerability in the Amadeus online reservation system made it possible to access and change reservations with just a booking number.
The bug, in the booking system which has 44 percent of the international carriers’market, was uncovered by hacker and activist Noam Rotem, who tried to book a flight on Israel’s ELAL airline.
Rotem, working with Safety Detective’s research lab, found that “by simply changing the RULE_SOURCE_1_ID, we were able to view any PNR and access the customer name and associated flight details,” according to a blog post penned by Safety Detective’s Paul Kane.
From there, the researchers could log into ELAL’s customer portal “and make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service.”
Acknowledging that a hacker must know a PNR code to exploit the vulnerability, the blog post explained that ELAL sends the codes out through unencrypted email and that flyers are careless with them, often sharing them on social media.
“But that’s just the tip of the iceberg,” the blog said. “After running a small and non-threatening script to check for any brute-force protections, none of which were found, we were able to find PNRs of random customers, which included all of their personal information.”
The researchers, who developed a script to fix the problem, contacted ELAL to report the vulnerability and suggested the airline introduce captchas, passwords and a bot protection mechanism.
After reporting the vulnerability to Amadeus, the company wrote issued a statement saying the problem was resolved and that it also had “added a Recovery PTR to prevent a malicious user from accessing travelers’ personal information.”
Noting that “everything in the aviation ecosystem is interconnected, and therefore, vulnerable to cyberattacks,” Todd Probert, vice president of mission support and modernization at Raytheon Intelligence,Information and Services, said “whether it be a reservation system, as was the case for Amadeus, a major airline, aircraft, or a hotel chain accommodating frequent flyers, cybercriminals have a gamut of systems at their fingertips that are far too easy to crack.”
The Amadeus vulnerability, just like last year’s Marriott breach, “provides foreign actors with the patterns of life of global political and business leaders, including who they traveled with, when and where,” said Probert. “The aviation industry is built on trust. Preserving that trust requires layers upon layers of cybersecurity.”