Critical flaw in Amadeus booking platform affected 141 airlines

Attackers could have exploited the bug to gain unauthorised access to flights with 44% of the world’s airlines

An image of a plane taking off against a highly stylised backdrop

An undiscovered flaw in an online booking system used by 141 airlines across the world could have allowed attackers to alter an airline manifest and steal air miles.

A major vulnerability in the Amadeus booking system used by 44% of the airline industry, including British Airways (BA) and Lufthansa, could have let a malicious actor assign seats and meal preferences, as well as change the personal details of passengers.

The issue, which is now fixed, was first identified by an Israeli security researcher Noam Rotem while he was booking a flight with the Isreali national carrier ELAL, according to a Safety Detective blog post.

When he received his flight booking reference, known in the industry as a PNR, he discovered he could change a specific element of the webpage, RULE_SOURCE_1_ID, to view any customers' PNR and gain access to the name and flight details.

Advertisement - Article continues below
Advertisement - Article continues below

With this information, he was able to login to the online portal and therefore make changes to a passenger's flight details, including email address and phone number, which could be used to cancel or change a flight reservation.

"Though the security breach requires knowledge of the PNR code, ELAL sends these codes via unencrypted email, and many people even share them on Facebook or Instagram," said Safety Detective's Paul Kane. "But that's just the tip of the iceberg."

"After running a small and non-threatening script to check for any brute-force protections, none of which were found, we were able to find PNRs of random customers, which included all of their personal information.

"We contacted ELAL immediately to point out the threat and prompt them to close the breach before it was discovered by anyone with malicious intentions."

Beyond reassigning air miles, this vulnerability could have posed a massive threat to nations' national security, with malicious actors theoretically able to change a flight manifest to broker unauthorised access to an aircraft.

"At Amadeus, we give security the highest priority and are constantly monitoring and updating our systems," a company spokesperson told IT Pro

Advertisement - Article continues below

"We became alerted to an issue in one of our products and our technical teams took immediate action and as of January 16 the issue was fixed."

"We can confirm that Amadeus has not detected any data breach and that no data from travellers was disclosed. We regret any disruption this situation may have caused."

The spokesperson continued to suggest that because the industry works on common standards, including the PNR, any further improvements should include an industry-wide assessment of the standards themselves.

"Everything in the aviation ecosystem is interconnected, and therefore, vulnerable to cyber attacks," said Raytheon's vice president for support and modernisation Todd Probert.

Advertisement - Article continues below

"Whether it be a reservation system, as was the case for Amadeus, a major airline, aircraft, or a hotel chain accommodating frequent flyers, cybercriminals have a gamut of systems at their fingertips that are far too easy to crack.

"Just like with the Marriott breach last year, this hack provides foreign actors with the patterns of life of global political and business leaders, including who they travelled with, when and where. The aviation industry is built on trust. Preserving that trust requires layers upon layers of cybersecurity."

Advertisement - Article continues below

The aviation industry has faced its fair share of security threats in recent months, with the most notable victims comprising hundreds of thousands of BA passengers whose data was stolen in two breaches last year.

Similarly, a Chinese airline Cathay Pacific sustained a massive breach in which attackers made away with the personal information belonging to 9.4 million passengers, including names, nationalities, passport numbers and credit card numbers.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020