Amadeus! Amadeus! Pwn me Amadeus! Airline check-in bug may have exposed all y'all boarding passes to spies

Patched IDOR hole would have been child's play to exploit


Updated A now-patched vulnerability in the Amadeus flight reservation system – used by airlines around the planet – could, or may, have been exploited by miscreants to view strangers' boarding passes.

David Stubley, CEO at UK security consultancy 7 Elements, told us last night he discovered the privacy-busting flaw, which was present in the Amadeus check-in application used by airlines.

Specifically, Stubley explained, when a traveler went to view their boarding pass, Amadeus presented the paperwork on a page with a URL that includes the passenger's ID number. This ID number could be changed to another number to call up other boarding passes from other Amadeus customers, such as British Airways, Air France, and United Airlines, without any further authentication. Just change the number in the web address bar and hit enter to fetch the pass for that ID number.

This is a classic insecure direct object reference (IDOR) vulnerability, which can be exploited to enumerate through records that otherwise should be off limits. Here is an example check-in URL with the passenger's ID number in bold:

https://checkin.si.amadeus.net/1ASIHSSCWEBQS/sscwqs/mbp?IFOI=DCS&id=300193064&ln=en&productIndex=0

Stubley told The Register the flaw could be exploited in both websites and apps for airlines that use Amadeus's technology to handle their reservations and boarding passes – that's roughly half of the world's major carriers.

"Originally it was found when using an airline's mobile app for check-in," the CEO said. "Once you have the URL you can then access directly without needing to use the website or mobile app."

woman waits at airport

Amadeus booking software outages smack airports across world

READ MORE

The bug was privately disclosed to Amadeus and was patched prior to public disclosure, so airlines and their customers are already protected. Still, the disclosure is hardly a ringing endorsement for Amadeus in the wake of the company's previous infosec gaffes.

The ability to pull up boarding passes would, at best, be a potential disclosure of personal information as a snoop could see things like flight dates and times, and possibly use that to collect other information.

More seriously, the downloaded boarding passes would be valid, meaning a scumbag who printed out the pass, arrived before the actual customer, and was able to somehow get past security could use it to get into restricted areas or a flight.

"It should be noted that additional security controls may restrict the successful use of a boarding pass that has already been used to gain access airside," said Stubley. "However, those controls are not uniformly deployed across all airports." ®

Updated to add

“Amadeus recently became aware of a configuration flaw affecting its Altéa Self Service Check-In solution," Amadeus told The Register in a statement.

"Our security teams took immediate action and the vulnerability is now fixed. We are not aware of there having been any further unauthorized access resulting from the vulnerability, beyond the activity of the security researcher. We regret any inconvenience this might cause to our customers.”

Similar topics


Other stories you might like

  • Why should I pay for that security option? Hijacking only happens to planes

    But if I give him my bank details, I'll be rich!

    On Call Friday is here. We'd suggest an adult beverage or two to celebrate, but only if you BYOB. While you fill your suitcase, may we present an episode of On Call in which a reader saves his boss from a dunking.

    Our tale comes from a reader Regomised as "Ed" and is set earlier this century. Ed was working as a developer in a biotech lab. He rarely spoke to the director, but did speak to the director's personal assistant a lot.

    This PA was very much a jack of all trades (and master of... well, you get the drift). HR? He was in charge of that. Ops? That too. Anything technical? Of course. Heck, even though the firm had its very own bean counter, one had to go through the PA to get anything paid or budgets approved.

    Continue reading
  • UK, Australia, to build 'network of liberty that will deter cyber attacks before they happen'

    Enhanced 'Cyber and Critical Technology Partnership' will transport crime to harsh penal regime on the other side of the world

    The United Kingdom and Australia have signed a Cyber and Critical Technology Partnership that will, among other things, transport criminals to a harsh penal regime on the other side of the world.

    Australian foreign minister Marise Payne and UK foreign secretary Liz Truss yesterday inked the document in Sydney but haven't revealed the text of the pact.

    What we do know is that the two nations have pledged to "Increase deterrence by raising the costs for hostile state activity in cyberspace – including through strategic co-ordination of our cyber sanctions regimes." That's code for both nations adopting the same deterrents and punishments for online malfeasance so that malfeasants can't shop jurisdictions to find more lenient penalties.

    Continue reading
  • Japan's Supreme Court rules cryptojacking scripts are not malware

    Coinhive-slinger wins on appeal

    A man found guilty of using the Coinhive cryptojacking script to mine Monero on users' PCs while they browsed the web has been cleared by Japan's Supreme Court on the grounds that crypto mining software is not malware.

    Tokyo High Court ruled against the defendant, 34-year-old Seiya Moroi, on charges of keeping electromagnetic records of an unjust program. That unjust program was Coinhive, a "cryptojacking" script that mines for Monero by pinching some CPU cycles when users visit a web page that includes the code. Moroi ran the code on his website.

    Coinhive has been blocked by malware and antivirus vendors as it slows down other processes, increases utility bills, and creates wear and tear on your device. But in many ways Coinhive's Javascript code acts no differently to advertisements.

    Continue reading

Biting the hand that feeds IT © 1998–2022