Critical flaw in Amadeus booking platform affected 141 airlines

Attackers could have exploited the bug to gain unauthorised access to flights with 44% of the world’s airlines

An image of a plane taking off against a highly stylised backdrop

An undiscovered flaw in an online booking system used by 141 airlines across the world could have allowed attackers to alter an airline manifest and steal air miles.

A major vulnerability in the Amadeus booking system used by 44% of the airline industry, including British Airways (BA) and Lufthansa, could have let a malicious actor assign seats and meal preferences, as well as change the personal details of passengers.

Advertisement - Article continues below

The issue, which is now fixed, was first identified by an Israeli security researcher Noam Rotem while he was booking a flight with the Isreali national carrier ELAL, according to a Safety Detective blog post.

When he received his flight booking reference, known in the industry as a PNR, he discovered he could change a specific element of the webpage, RULE_SOURCE_1_ID, to view any customers' PNR and gain access to the name and flight details.

With this information, he was able to login to the online portal and therefore make changes to a passenger's flight details, including email address and phone number, which could be used to cancel or change a flight reservation.

"Though the security breach requires knowledge of the PNR code, ELAL sends these codes via unencrypted email, and many people even share them on Facebook or Instagram," said Safety Detective's Paul Kane. "But that's just the tip of the iceberg."

Advertisement - Article continues below
Advertisement - Article continues below

"After running a small and non-threatening script to check for any brute-force protections, none of which were found, we were able to find PNRs of random customers, which included all of their personal information.

"We contacted ELAL immediately to point out the threat and prompt them to close the breach before it was discovered by anyone with malicious intentions."

Beyond reassigning air miles, this vulnerability could have posed a massive threat to nations' national security, with malicious actors theoretically able to change a flight manifest to broker unauthorised access to an aircraft.

"At Amadeus, we give security the highest priority and are constantly monitoring and updating our systems," a company spokesperson told IT Pro

"We became alerted to an issue in one of our products and our technical teams took immediate action and as of January 16 the issue was fixed."

"We can confirm that Amadeus has not detected any data breach and that no data from travellers was disclosed. We regret any disruption this situation may have caused."

Advertisement - Article continues below

The spokesperson continued to suggest that because the industry works on common standards, including the PNR, any further improvements should include an industry-wide assessment of the standards themselves.

"Everything in the aviation ecosystem is interconnected, and therefore, vulnerable to cyber attacks," said Raytheon's vice president for support and modernisation Todd Probert.

"Whether it be a reservation system, as was the case for Amadeus, a major airline, aircraft, or a hotel chain accommodating frequent flyers, cybercriminals have a gamut of systems at their fingertips that are far too easy to crack.

"Just like with the Marriott breach last year, this hack provides foreign actors with the patterns of life of global political and business leaders, including who they travelled with, when and where. The aviation industry is built on trust. Preserving that trust requires layers upon layers of cybersecurity."

The aviation industry has faced its fair share of security threats in recent months, with the most notable victims comprising hundreds of thousands of BA passengers whose data was stolen in two breaches last year.

Similarly, a Chinese airline Cathay Pacific sustained a massive breach in which attackers made away with the personal information belonging to 9.4 million passengers, including names, nationalities, passport numbers and credit card numbers.



cyber security

Hackers torn over how to adapt their tactics to the coronavirus pandemic

3 Apr 2020
cyber security

Report: 16.5 million Britons fell victim to cyber crime in the past year

1 Apr 2020
Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020

UK government to launch coronavirus 'contact tracking' app

1 Apr 2020

Most Popular

cyber security

Elon Musk's SpaceX bans Zoom over security fears

2 Apr 2020
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020