Categories: Security

Airport Gate Screens ‘Exposes Personal Data’ Of Passengers

Passengers’ personal data was exposed via a public gate display due to poor security, according to a researcher, who said the incident reflects broader problems in the travel industry.

Symantec computer security researcher Candid Wueest said he was waiting to board a flight at an unnamed European airport when he noticed one of the displays showed a timed-out browser window.

Public-facing server

He opened the IP address displayed on his smartphone and found to his surprise it was available from the public Internet, he wrote in an advisory.

Moreover the server listed debug pages for each flight that listed database records including passengers on the standby list, including information such as their booking reference codes, also known as the passenger name record (PNR), Wueest said.

The travellers’ names were shortened to three to five characters, but full names would be easy to guess, he said.

“Anybody that knew about this publicly accessible server could view passenger PNR codes and guess the last names,” Wueest wrote.

Names and PNRs are usually all that are needed to access passenger bookings, which often contain detailed personal data that could be used for identity theft or targeted email attacks, as well as allowing an attacker to cancel or change bookings.

Booking access

“Once logged in, an attacker can see details about the flight and all other passengers on the same booking,” Wueest wrote. “This includes full names and often email addresses, telephone numbers, frequent flyer numbers, postal addresses and, for intercontinental flights, passport details and dates of birth.”

He noted there has been increased concern over the security of passenger data such as PNR codes, with such data being visible, for instance, on boarding passes and luggage tags that users may share images of on social media.

He said he reported the issue to the operator involved, which fixed it.

“Fixing the security weaknesses of travel booking systems is no easy task as the global booking systems are heavily interconnected and dependent on each other,” he wrote, adding that the EU’s upcoming General Data Protection Regulation (GDPR) will soon compel businesses to put more effort into protecting customers’ data.

What do you know about outgoing President Barack Obama and his relationship with tech?Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Apple Delays Staff Mandate For Three Days A Week In Office – Report

Tech giant blames rising Covid cases as it again pushes back return to office deadline,…

19 mins ago

Tesla Bluetooth Locks Can Be Hacked, Warns NCC Group

Digital locks, including those fitted to Tesla vehicles, are vulnerable to being unlocked via an…

3 hours ago

Twitter Board To ‘Enforce’ Elon Musk Merger Agreement

Legal action ahead? Elon Musk's takeover agreement of Twitter will be enforced says board of…

4 hours ago

Silicon UK In Focus Podcast: Is Your Business Ready for Frontend-as-a-Service?

How could FaaS revolutionise E-commerce? And how can businesses embrace this technology to connect with…

5 hours ago

Uber Eats Offers Two Robo-Delivery Services In California

Uber Eats offers food delivery using Motional autonomous cars in Santa Monica and sidewalk robot…

24 hours ago

Russia ‘Not Planning To Block YouTube’ Says Minister

Digital minister says Russia not planning to block YouTube in the country as Russian users…

1 day ago