[German]Once again, security experts have come across serious vulnerability in airline flight booking systems. All airlines that use the Amadeus flight booking system have been affected (approx. 44% of the providers). A similar error as in 2016 seems to have occurred, which allowed access to data from other customers.
Advertising
A few hours ago I was informed by the operators of safetydetective.com about the article Major Security Breach Discovered Affecting Nearly Half of All Airline Travelers Worldwide.
Vulnerability in the ELAT Flight Booking System
White Hat Hacker and Aktivist Noam Rotem, who collaborates with the Safety Detective research laboratory, recently discovered a vulnerability in airline booking systems. When booking a flight with the Israeli airline ELAL, he encountered a significant vulnerability. This would have allowed anyone to access and change private information about flight bookings.
When he then continued his research, he found that the same weakness exists with other airlines – he writes that there is a gap in 44% of the international carrier market. Therefore, the vulnerability may affect millions of travellers.
Amadeus booking system: 44% of airlines affected
According to ELAL, the vulnerability is caused within the online booking system Amadeus. This has a market share of 44% with globally operating airlines such as United Airlines, Lufthansa, Air Canada and many others.
When booking a flight with ELAL, users receive a link of the type https:[//]fly.elal.co[.il]/[code] to check the PNR (Print Boarding Pass, ticket printout). By simply changing the RULE_SOURCE_1_ID field, according to the report, you should be able to access, view or even manipulate any PNR assigned to a customer.
Advertising
Using the PNR code and customer name, the hackers could log into the ELAL customer portal (https://booking.elal.co.il/newBooking/changeOrderNewSite.jsp) and make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer's email address and phone number to cancel or change a flight reservation through customer service.
Although the vulnerability requires knowledge of the PNR code to be exploited, ELAL sends these codes via unencrypted e-mail. And many people even share this information on Facebook or Instagram. But that's just the tip of the iceberg.
The hackers ran a small script to look for brute force protections. When the script didn't find any protection, they could find random customers' PNRs containing all their personal information. The hackers immediately contacted ELAL to point out the threat and ask them to close the vulnerability before it was discovered by someone with malicious intent.
One suggestion was to protect access with captchas, passwords (instead of a 6-digit PNR code) and a bot protection mechanism to avoid a brute force approach. The answer from Amadeus:
"At Amadeus, we give security the highest priority and are constantly monitoring and updating our systems. Our technical teams took immediate action and we can now confirm that the issue is solved. To further strengthen security, we have added a Recovery PTR to prevent a malicious user from accessing travelers' personal information. We regret any inconvenience this situation might have caused."
In a nutshell: After the vulnerability was reported, it was immediately corrected and appropriate measures were taken to protect the customer's data. However, this is not the first time that the Amadeus flight booking system has attracted negative attention. In December 2016, I reported on a major security vulnerability in Amadeus flight booking system, discovered by security researcher Carsten Nohl within my German blog post Sicherheitslücken bei Flugbuchungen und –Internet/-Telefonie.
