Categories: Security

Airport Gate Screens ‘Exposes Personal Data’ Of Passengers

Passengers’ personal data was exposed via a public gate display due to poor security, according to a researcher, who said the incident reflects broader problems in the travel industry.

Symantec computer security researcher Candid Wueest said he was waiting to board a flight at an unnamed European airport when he noticed one of the displays showed a timed-out browser window.

Public-facing server

He opened the IP address displayed on his smartphone and found to his surprise it was available from the public Internet, he wrote in an advisory.

Moreover the server listed debug pages for each flight that listed database records including passengers on the standby list, including information such as their booking reference codes, also known as the passenger name record (PNR), Wueest said.

The travellers’ names were shortened to three to five characters, but full names would be easy to guess, he said.

“Anybody that knew about this publicly accessible server could view passenger PNR codes and guess the last names,” Wueest wrote.

Names and PNRs are usually all that are needed to access passenger bookings, which often contain detailed personal data that could be used for identity theft or targeted email attacks, as well as allowing an attacker to cancel or change bookings.

Booking access

“Once logged in, an attacker can see details about the flight and all other passengers on the same booking,” Wueest wrote. “This includes full names and often email addresses, telephone numbers, frequent flyer numbers, postal addresses and, for intercontinental flights, passport details and dates of birth.”

He noted there has been increased concern over the security of passenger data such as PNR codes, with such data being visible, for instance, on boarding passes and luggage tags that users may share images of on social media.

He said he reported the issue to the operator involved, which fixed it.

“Fixing the security weaknesses of travel booking systems is no easy task as the global booking systems are heavily interconnected and dependent on each other,” he wrote, adding that the EU’s upcoming General Data Protection Regulation (GDPR) will soon compel businesses to put more effort into protecting customers’ data.

What do you know about outgoing President Barack Obama and his relationship with tech?Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Google Confronts Break-Up Threat From US DoJ

US Department of Justice mulls asking judge to force Google to sell parts of its…

3 hours ago

US Supreme Court Rejects X’s Trump Appeal

US Supreme Court declines to hear appeal from X, formerly Twitter, over nondisclosure order attached…

1 day ago

US Judge Orders Google To Allow Android App Store Competition

US federal judge orders Google to undertake wide range of measures allowing third-party app stores…

1 day ago

Ukraine Hackers Disrupt Russian Broadcaster On Putin’s Birthday

Ukrainian hackers disrupt online services of Russian state broadcaster VGTRK on Vladimir Putin's birthday, amidst…

1 day ago

Amazon Antitrust Case Gets Go-Ahead In US Court

US federal judge says FTC and 18 states may proceed with landmark Amazon antitrust case,…

1 day ago