[BreachExchange] Over 140 International Airlines Affected by Major Security Breach

[Destry Winant]

https://www.bleepingcomputer.com/news/security/over-140-international-airlines-affected-by-major-security-breach/

Potential attackers could view and change private information in
flight bookings made by millions of customers of major international
airlines because of a security issue in the Amadeus online booking
system found by Safety Detective's Noam Rotem.

Currently, the Amadeus ticket booking system is being used by 141
international airlines which gives it control over 44% of the global
online reservation market, with United Airlines, Lufthansa, and Air
Canada being some of its clients.

As described by Safety Detective's research labs, the security bug was
found when trying to book a flight on the EL AL airline, Israel's
national carrier, which sent the security researchers "the following
link to check our PNR: https://fly.elal.co.il/LOTS-OF-NUMBERS-HERE."

>From there it was only a matter of changing the RULE_SOURCE_1_ID which
allowed them to view any Passenger Name Record (PNR), giving them
access to the passengers' names as well as to all associated flight
details.

PNR codes sent in plain text and shared on social media

Using the customer name and the PNR code, the researchers were then
able to successfully log into EL AL’s customer portal which allowed
them to "make changes, claim frequent flyer miles to a personal
account, assign seats and meals, and update the customer’s email and
phone number, which could then be used to cancel/change flight
reservation via customer service."

To make matters worse, EL AL sent PNR codes via unencrypted
connections which can be easily swiped using man-in-the-middle attacks
by bad actors.

Furthermore, Safety Detective's researchers also found that a lot of
customers were actually sharing their PNR codes via social media
accounts which made them easy targets to anyone knowing about the
Amadeus security bug.

After running a small and non-threatening script to check for any
brute-force protections, none of which were found, we were able to
find PNRs of random customers, which included all of their personal
information. We contacted ELAL immediately to point out the threat and
prompt them to close the breach before it was discovered by anyone
with malicious intentions.

In the notification sent to the EL AL Israeli airline, the researchers
also provided a number of measures that should be taken to mitigate
the vulnerability, starting with the introduction of captchas and
passwords to replace the 6-character PNR codes, and ending with a
protection algorithm against bots to block brute-force scripts like
the one they used.

After contacting Amadeus regarding the security breach found in their
online reservation system, the company issued the following statement:

At Amadeus, we give security the highest priority and are constantly
monitoring and updating our systems. Our technical teams took
immediate action and we can now confirm that the issue is solved. To
further strengthen security, we have added a Recovery PTR to prevent a
malicious user from accessing travelers’ personal information. We
regret any inconvenience this situation might have caused.

You can find below a video demonstration of Safety Detective's
brute-force script used to guess the random PNR codes. The script no
longer works after Amadeus patched the security issue in their Central
Reservations System (CSR).