Weak web services inherent in systems used to book flights leave them open to several problems.
Weak web services inherent in systems used to book flights leave them open to several problems.

Security Research Labs (SRL) has found that the three computer systems responsible for booking about 90 percent of all airline trips worldwide are each vulnerable to exposing passenger information due to several legacy flaws.

The three booking systems – Amadeus, Sabre and Travelport – suffer from weak authentication and web services, reported Berlin-based Security Research Labs. The primary reason behind these flaws is the fact that all the Global Distributed Systems (GDS), the flight booking software, was built in the 1970s and 1980s to operate on mainframe computers and dedicated lines, but have since been updated to work over the internet.

Due to these flaws, malicious actors can obtain a wide variety of passenger data, including personally identifiable information, flights can be stolen or altered, and mileage can be swiped. In addition, any stolen information could be used for phishing and other types of cyberattacks.

The report pointed to an almost total lack of authentication. In many cases, the authenticator itself is printed on a boarding pass making it susceptible to a physical, as well as, a cyberattack.

“While the rest of the Internet is debating which second and third factors to use, GDSs do not offer a first authentication factor. Instead, the booking code (aka PNR Locator, a 6-digit alphanumeric string such as 8EI29V) is used to access and change travelers' information,” the SRL report stated.

The weak web services inherent in these systems leave them open to several problems, including brute force attacks. “Two of the three main GDSs assign booking codes sequentially, further shrinking the search space. Finally, many GDS and airline web sites allow trying many thousand booking codes from a single IP address. Given only passengers' last names, their bookings codes can be found over the Internet with little effort,” the report stated.

To counter this, SRL suggested adding simple security, such as Captchas, and limiting the number of access attempts per IP address.