Critical flaw in Amadeus booking platform affected 141 airlines

Attackers could have exploited the bug to gain unauthorised access to flights with 44% of the world’s airlines

An image of a plane taking off against a highly stylised backdrop

An undiscovered flaw in an online booking system used by 141 airlines across the world could have allowed attackers to alter an airline manifest and steal air miles.

A major vulnerability in the Amadeus booking system used by 44% of the airline industry, including British Airways (BA) and Lufthansa, could have let a malicious actor assign seats and meal preferences, as well as change the personal details of passengers.

Advertisement - Article continues below

The issue, which is now fixed, was first identified by an Israeli security researcher Noam Rotem while he was booking a flight with the Isreali national carrier ELAL, according to a Safety Detective blog post.

When he received his flight booking reference, known in the industry as a PNR, he discovered he could change a specific element of the webpage, RULE_SOURCE_1_ID, to view any customers' PNR and gain access to the name and flight details.

With this information, he was able to login to the online portal and therefore make changes to a passenger's flight details, including email address and phone number, which could be used to cancel or change a flight reservation.

"Though the security breach requires knowledge of the PNR code, ELAL sends these codes via unencrypted email, and many people even share them on Facebook or Instagram," said Safety Detective's Paul Kane. "But that's just the tip of the iceberg."

Advertisement - Article continues below
Advertisement - Article continues below

"After running a small and non-threatening script to check for any brute-force protections, none of which were found, we were able to find PNRs of random customers, which included all of their personal information.

"We contacted ELAL immediately to point out the threat and prompt them to close the breach before it was discovered by anyone with malicious intentions."

Beyond reassigning air miles, this vulnerability could have posed a massive threat to nations' national security, with malicious actors theoretically able to change a flight manifest to broker unauthorised access to an aircraft.

"At Amadeus, we give security the highest priority and are constantly monitoring and updating our systems," a company spokesperson told IT Pro

"We became alerted to an issue in one of our products and our technical teams took immediate action and as of January 16 the issue was fixed."

"We can confirm that Amadeus has not detected any data breach and that no data from travellers was disclosed. We regret any disruption this situation may have caused."

Advertisement - Article continues below

The spokesperson continued to suggest that because the industry works on common standards, including the PNR, any further improvements should include an industry-wide assessment of the standards themselves.

"Everything in the aviation ecosystem is interconnected, and therefore, vulnerable to cyber attacks," said Raytheon's vice president for support and modernisation Todd Probert.

"Whether it be a reservation system, as was the case for Amadeus, a major airline, aircraft, or a hotel chain accommodating frequent flyers, cybercriminals have a gamut of systems at their fingertips that are far too easy to crack.

"Just like with the Marriott breach last year, this hack provides foreign actors with the patterns of life of global political and business leaders, including who they travelled with, when and where. The aviation industry is built on trust. Preserving that trust requires layers upon layers of cybersecurity."

The aviation industry has faced its fair share of security threats in recent months, with the most notable victims comprising hundreds of thousands of BA passengers whose data was stolen in two breaches last year.

Similarly, a Chinese airline Cathay Pacific sustained a massive breach in which attackers made away with the personal information belonging to 9.4 million passengers, including names, nationalities, passport numbers and credit card numbers.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Putting a spotlight on cyber security

An examination of the current cyber security landscape

Download now

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

Download now

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most Popular


How to find RAM speed, size and type

24 Jun 2020
data protection

EU institutions told to avoid Microsoft software after licence spat

3 Jul 2020

Microsoft releases urgent patch for high-risk Windows 10 flaws

1 Jul 2020