141 Airlines Worldwide Affected by Biggest Security Vulnerability – Tens of Millions of Flight Travelers Affected

Researchers discovered a major security vulnerability in online flight ticket booking system that affected almost half of the fight travelers around the world.

The Vulnerability was discovered by Noam Rotem , an Isreal security researcher when he was trying to book a flight in ELAL Israel Airlines.

He uncovered this critical flaw in the widely used ticket booking system Amadeus that allows anyone to access and change private information on flight bookings for 141 airlines.

Amadeus referred as one of the largest reservation systems, serving for 141 airlines including world-leading airline customers of British Airways, Air France, Icelandair, Qantas etc.

This same vulnerability was discovered include 44% of the international carriers market including United Airlines, Lufthansa, Air Canada, and many more that affects tens of millions of travelers.

This could allows anyone can edit and change someone’s ticket reservation for any Airline which is used Amadeus reservation system by just having booking reference number.

Vulnerability in the Ticket Booking System

Researcher uncovered this vulnerability by analyse the link he received that associated with ticket booking system(PNR: https://fly.elal.co.il/LOTS-OF-NUMBERS-HERE.)

Here, by changing the RULE_SOURCE_1_ID, researchers access any customers PNR and access the customer name and associated flight details.

It was made the process easy to log into ELAL’s customer portal With the help of PNR and customer name and anyone could make changes..

“This control allows claim frequent flyer miles to a personal account, assign seats and meals, and update the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service”

Researchers from Safety Detective research lab execute a simple script that exposed the PNR numbers and was able to find active numbers in Amadeus.

Another non-threatening script proves that the system was vulnerable to brute-force attack due to lacking captchas and passwords protection security systems.

Amadeus replied, “At Amadeus, we give security the highest priority and are constantly monitoring and updating our systems. Our technical teams took immediate action and we can now confirm that the issue is solved. To further strengthen security, we have added a Recovery PTR to prevent a malicious user from accessing travelers’ personal information. We regret any inconvenience this situation might have caused.”

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

4 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

4 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

7 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

10 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

11 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

11 hours ago