[BreachExchange] Security Flaw Exposed Valid Airline Boarding Passes

[Destry Winant]

https://www.databreachtoday.com/security-flaw-exposed-valid-airline-boarding-passes-a-12783

A vulnerability in global airline check-in software used by hundreds
of airlines could have been exploited to allow users to view other
individuals' boarding passes and personal details, warns incident
response expert David Stubley

The vulnerability, which has now been patched, existed in travel
software developed by Madrid-based Amadeus IT Group. The flaw was
discovered by Stubley, who heads Edinburgh, Scotland-based security
testing firm and consultancy 7 Elements.

"It was possible to download valid boarding passes - not belonging to
the user - for future flights due to an insecure direct object
reference weakness within the application," Stubley tells Information
Security Media Group. "Insecure direct object reference or IDOR
vulnerabilities occur when an application provides direct access to
objects based on user-supplied input, bypassing expected
authentication and user access controls."

Amadeus develops travel industry software used by 500 airlines -
including United Airlines and Air Canada - as well as hotels, rail and
cruise lines, tour operators and others.

"Amadeus recently became aware of a configuration flaw affecting its
Altéa Self Service Check-In solution," a spokeswoman tells ISMG. "Our
security teams took immediate action and the vulnerability is now
fixed. We are not aware of there having been any further unauthorized
access resulting from the vulnerability, beyond the activity of the
security researcher. We regret any inconvenience this might cause to
our customers."

Amadeus didn't immediately respond to request for further comment
about how it tracks unauthorized access and whether it proactively
monitors for this.

Stubley says he discovered the flaw in the Amadeus software last week
while waiting at Birmingham Airport to board a Flybe flight home to
Edinburgh. Noticing how the Amadeus web application's URL was
structured, he began testing if it would allow him to change
parameters and still get results.

Patch Timeline

July 8: Stubley reports vulnerability to Flybe, which reports it to
Amadeus on the same day.
July 11: Vulnerability reported to Britain's Civil Aviation Authority.
The same day, Flybe reports that Amadeus has received vulnerability
notice and is "taking remediation action."
July 15: Amadeus confirms fixes are in place.
July 16: Security advisory published.

IDOR flaws are not rare, and at times have featured on the Open Web
Application Security Project's top 10 list of the worst web
application vulnerabilities.

"Insecure direct object references allow attackers to bypass
authorization and access resources directly by modifying the value of
a parameter used to directly point to an object," according to OWASP.
"Such resources can be database entries belonging to other users,
files in the system and more. This is caused by the fact that the
application takes user supplied input and uses it to retrieve an
object without performing sufficient authorization checks."

Stubley says the flaw would have affected all of the approximately 500
airlines that use Amadeus software.

He's published a technical advisory containing more details, as well
as a proof-of-concept demonstration showing "that due to a lack of
authentication required for access to the resource as well as a lack
of brute force protection, it was possible to automate an attack to
enumerate supported airlines."

At Risk: Personally Identifiable Information

Stubley says the vulnerability put customers' personally identifiable
information at risk because it provided unauthenticated access to
valid boarding passes containing a customer's name and flight details,
as well as their booking reference. "With that and the surname, it
would be possible to gain access to the booking and further sensitive
information such as contact details, including their mobile phone
number," he says.

Having a valid boarding pass would allow users to enter restricted
areas, such as domestic terminals, at airports serviced by airlines
that use Amadeus software. But additional security controls should
have prevented individuals from being able to use other people's
boarding passes to gain access to an airplane.

"In terms of context, it's important to note that additional security
controls at airports - such as ability to identify reuse of a boarding
pass at security - would limit the impact of anyone gaining airside
access," Stubley says. "However, not all airports use the same
technology, so it's not an even playing field."

Takeaway: 'Trust But Verify'

One takeaway is that this particular problem isn't the fault of the
airlines, Stubley says, but rather the software provider. The incident
also demonstrates "the need to gain assurance over commercial
off-the-shelf software applications, rather than blindly trusting as
everyone else uses so it must be OK," he says. "As with most things in
life, 'trust but verify' remains king."

This is not the first time flaws have been found in Amadeus software.
In January, security researcher Noam Rotem reported finding an IDOR
booking software vulnerability that exposed airline passenger name
records, which is the bundle of personal and travel data that gets
collected whenever someone books a flight.

Rotem, who works at the security firm Safety Detective, discovered
that he could alter the booking reference number contained in a link
to retrieve other passengers' details. He discovered the flaw while
using airline El Al's website while booking his own flight. El Al uses
Amadeus travel software.

Amadeus apologized for the flaw, said it had no evidence that the
vulnerability had been abused to steal user data, and rapidly put a
fix in place (see: Airline Booking System Exposed Passenger Details).

Legacy Software Risks

Global distribution systems such as Amadeus, Sabre and U.K.-based
Travelport are decades old. Amadeus, for example, was originally
created by a consortium of European airlines - Air France, Iberia,
Lufthansa and SAS - in 1987 to connect their systems with travel
agencies and consumers, and to provide an alternative to the Sabre
system that was originally developed by American Airlines.

But security researchers have warned that the companies' legacy
software can sometimes be built into web services without proper
security controls - including access controls - being put in place.