Amadeus booking system flaw could have exposed info on millions of travelers

News by Teri Robinson

A recently discovered vulnerability in the Amadeus online reservation system made it possible to access and change reservations with just a booking number.

A recently discovered vulnerability in the Amadeus online reservation system made it possible to access and change reservations with just a booking number.

The bug, in the booking system which has 44 percent of the international carriers’market, was uncovered by hacker and activist Noam Rotem, who tried to book a flight on Israel’s ELAL airline.

Rotem, working with Safety Detective’s research lab, found that "by simply changing the RULE_SOURCE_1_ID, we were able to view any PNR and access the customer name and associated flight details," according to a blog post penned by Safety Detective’s Paul Kane.

From there, the researchers could log into ELAL’s customer portal "and make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service."

Acknowledging that a hacker must know a PNR code to exploit the vulnerability, the blog post explained that ELAL sends the codes out through unencrypted email and that flyers are careless with them, often sharing them on social media.

"But that’s just the tip of the iceberg," the blog said. "After running a small and non-threatening script to check for any brute-force protections, none of which were found, we were able to find PNRs of random customers, which included all of their personal information."

The researchers, who developed a script to fix the problem, contacted ELAL to report the vulnerability and suggested the airline introduce captchas, passwords and a bot protection mechanism.

After reporting the vulnerability to Amadeus, the company wrote issued a statement saying the problem was resolved and that it also had "added a Recovery PTR to prevent a malicious user from accessing travelers’ personal information."

Noting that "everything in the aviation ecosystem is interconnected, and therefore, vulnerable to cyber-attacks," Todd Probert, vice president of mission support and modernisation at Raytheon Intelligence,Information and Services, said "whether it be a reservation system, as was the case for Amadeus, a major airline, aircraft, or a hotel chain accommodating frequent flyers, cyber-criminals have a gamut of systems at their fingertips that are far too easy to crack."

The Amadeus vulnerability, just like last year’s Marriott breach, "provides foreign actors with the patterns of life of global political and business leaders, including who they traveled with, when and where," said Probert. "The aviation industry is built on trust. Preserving that trust requires layers upon layers of cyber-security."

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop