Credits: The Register
A now-patched vulnerability in the Amadeus flight reservation system – used by airlines around the planet – could, or may, have been exploited by miscreants to view strangers’ boarding passes.
David Stubley, CEO at UK security consultancy 7 Elements, told us last night he discovered the privacy-busting flaw, which was present in the Amadeus check-in application used by airlines.
Specifically, Stubley explained, when a traveler went to view their boarding pass, Amadeus presented the paperwork on a page with a URL that includes the passenger’s ID number. This ID number could be changed to another number to call up other boarding passes from other Amadeus customers, such as British Airways, Air France, and United Airlines, without any further authentication. Just change the number in the web address bar and hit enter to fetch the pass for that ID number.
This is a classic insecure direct object reference (IDOR) vulnerability, which can be exploited to enumerate through records that otherwise should be off limits. Here is an example check-in URL with the passenger’s ID number in bold:
Stubley told The Register the flaw could be exploited in both websites and apps for airlines that use Amadeus’s technology to handle their reservations and boarding passes – that’s roughly half of the world’s major carriers.
“Originally it was found when using an airline’s mobile app for check-in,” the CEO said. “Once you have the URL you can then access directly without needing to use the website or mobile app.”
The bug was privately disclosed to Amadeus and was patched prior to public disclosure, so airlines and their customers are already protected. Still, the disclosure is hardly a ringing endorsement for Amadeus in the wake of the company’s previous infosec gaffes.
The ability to pull up boarding passes would, at best, be a potential disclosure of personal information as a snoop could see things like flight dates and times, and possibly use that to collect other information.
More seriously, the downloaded boarding passes would be valid, meaning a scumbag who printed out the pass, arrived before the actual customer, and was able to somehow get past security could use it to get into restricted areas or a flight.
“It should be noted that additional security controls may restrict the successful use of a boarding pass that has already been used to gain access airside,” said Stubley. “However, those controls are not uniformly deployed across all airports.”
Amadeus sent us the following statement:
“Amadeus recently became aware of a configuration flaw affecting its Altéa Self Service Check-In solution. Our security teams took immediate action and the vulnerability is now fixed. We are not aware of there having been any further unauthorized access resulting from the vulnerability, beyond the activity of the security researcher. We regret any inconvenience this might cause to our customers.”