Critical flaw in Amadeus booking platform affected 141 airlines

Attackers could have exploited the bug to gain unauthorised access to flights with 44% of the world’s airlines

An image of a plane taking off against a highly stylised backdrop

An undiscovered flaw in an online booking system used by 141 airlines across the world could have allowed attackers to alter an airline manifest and steal air miles.

A major vulnerability in the Amadeus booking system used by 44% of the airline industry, including British Airways (BA) and Lufthansa, could have let a malicious actor assign seats and meal preferences, as well as change the personal details of passengers.

The issue, which is now fixed, was first identified by an Israeli security researcher Noam Rotem while he was booking a flight with the Isreali national carrier ELAL, according to a Safety Detective blog post.

When he received his flight booking reference, known in the industry as a PNR, he discovered he could change a specific element of the webpage, RULE_SOURCE_1_ID, to view any customers' PNR and gain access to the name and flight details.

With this information, he was able to login to the online portal and therefore make changes to a passenger's flight details, including email address and phone number, which could be used to cancel or change a flight reservation.

"Though the security breach requires knowledge of the PNR code, ELAL sends these codes via unencrypted email, and many people even share them on Facebook or Instagram," said Safety Detective's Paul Kane. "But that's just the tip of the iceberg."

"After running a small and non-threatening script to check for any brute-force protections, none of which were found, we were able to find PNRs of random customers, which included all of their personal information.

"We contacted ELAL immediately to point out the threat and prompt them to close the breach before it was discovered by anyone with malicious intentions."

Beyond reassigning air miles, this vulnerability could have posed a massive threat to nations' national security, with malicious actors theoretically able to change a flight manifest to broker unauthorised access to an aircraft.

"At Amadeus, we give security the highest priority and are constantly monitoring and updating our systems," a company spokesperson told IT Pro

"We became alerted to an issue in one of our products and our technical teams took immediate action and as of January 16 the issue was fixed."

"We can confirm that Amadeus has not detected any data breach and that no data from travellers was disclosed. We regret any disruption this situation may have caused."

The spokesperson continued to suggest that because the industry works on common standards, including the PNR, any further improvements should include an industry-wide assessment of the standards themselves.

"Everything in the aviation ecosystem is interconnected, and therefore, vulnerable to cyber attacks," said Raytheon's vice president for support and modernisation Todd Probert.

"Whether it be a reservation system, as was the case for Amadeus, a major airline, aircraft, or a hotel chain accommodating frequent flyers, cybercriminals have a gamut of systems at their fingertips that are far too easy to crack.

"Just like with the Marriott breach last year, this hack provides foreign actors with the patterns of life of global political and business leaders, including who they travelled with, when and where. The aviation industry is built on trust. Preserving that trust requires layers upon layers of cybersecurity."

The aviation industry has faced its fair share of security threats in recent months, with the most notable victims comprising hundreds of thousands of BA passengers whose data was stolen in two breaches last year.

Similarly, a Chinese airline Cathay Pacific sustained a massive breach in which attackers made away with the personal information belonging to 9.4 million passengers, including names, nationalities, passport numbers and credit card numbers.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

SonicWall hacked via zero-day flaw in remote access tools
Security

SonicWall hacked via zero-day flaw in remote access tools

25 Jan 2021
Global ransom DDoS extortionists are retargeting companies
distributed denial of service (DDOS)

Global ransom DDoS extortionists are retargeting companies

22 Jan 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
Trump pardons convicted ex-Google engineer Levandowski
intellectual property

Trump pardons convicted ex-Google engineer Levandowski

20 Jan 2021