The big picture: Almost half of all international airlines use the Amadeus ticket booking system. Security researchers found a vulnerability that allowed hackers to easily view and change private passenger information including claiming other passenger's frequent flyer miles to a hacker's personal account, changing their contact info to allow a hacker to cancel their ticket, and more.
The vulnerability was discovered by Noam Rotem with the Safety Detective Research Lab and affects 44% or 141 different international airlines. It is related to the Passenger Name Record (PNR) system which is an identifier given to each passenger on a flight.
By updating a specific element of the ticket booking webpage, RULE_SOURCE_1_ID, Rotem was able to view the customer name and flight details for any PNR he entered into Amadeus. Once he had a PNR and name pair, he could log into any of the affected airline's portals and potentially wreak havoc.
While this isn't a threat to safety or financial data, it could easily have been used to ruin many peoples' days. Hackers could steal frequent flyer miles, impersonate users to cancel their flights, move seats, and change meal plans.
The page Rotem gained access to where he could change flight details of any passenger
This breach does require knowledge of the PNR codes beforehand, but customers and airlines don't exactly do a great job of protecting them. They are sent by the airline to the user unencrypted making them vulnerable to man-in-the-middle attacks. Many customers also post pictures of their boarding passes online to social media which also exposes this information.
To make matters worse, Rotem also discovered that the system had no brute-force protections in place. He wrote a simple script that generated randomized PNRs and was able to access many customer accounts successfully.
Rotem has since contacted EL AL, the Israeli airline he was flying with when he initially discovered the issue. It was then passed along to the Amadeus security team which has since patched the hole.
Amadeus has since issued the following statement:
“At Amadeus, we give security the highest priority and are constantly monitoring and updating our systems. Our technical teams took immediate action and we can now confirm that the issue is solved. To further strengthen security, we have added a Recovery PTR to prevent a malicious user from accessing travelers’ personal information. We regret any inconvenience this situation might have caused.”
Rotem further suggested they introduce captchas to prevent brute-force attacks, passwords to replace the 6-digit PNRs, and bot protection mechanisms.