An attacker would only need to guess a passenger’s last name and their booking reference codes to access details about the flight.
An attacker would only need to guess a passenger’s last name and their booking reference codes to access details about the flight.

Symantec researcher Candid Wueest spotted Airport boarding gate displays putting passengers at risk by leaking booking codes.

Wueest followed an IP address from a boarding gate display to access a landing page listing debug information listing databases containing information about the next flights which could be used to hack into passenger accounts, according to a Jan. 10 blog post.

An attacker would only need to guess a passenger's last name and their booking reference codes, also known as passenger name record (PNR) locators, to access details about the flight and other passengers on the same booking including full names, email addresses, telephone numbers, frequent flyer numbers, postal addresses and, for intercontinental flights, passport details and dates of birth.

Wueest said the information was available to anyone that knew about the publicly accessible server. The airline has since patched the flaw.