Passengers’ personal data was exposed via a public gate display due to poor security, according to a researcher, who said the incident reflects broader problems in the travel industry.
Symantec computer security researcher Candid Wueest said he was waiting to board a flight at an unnamed European airport when he noticed one of the displays showed a timed-out browser window.
He opened the IP address displayed on his smartphone and found to his surprise it was available from the public Internet, he wrote in an advisory.
Moreover the server listed debug pages for each flight that listed database records including passengers on the standby list, including information such as their booking reference codes, also known as the passenger name record (PNR), Wueest said.
The travellers’ names were shortened to three to five characters, but full names would be easy to guess, he said.
“Anybody that knew about this publicly accessible server could view passenger PNR codes and guess the last names,” Wueest wrote.
Names and PNRs are usually all that are needed to access passenger bookings, which often contain detailed personal data that could be used for identity theft or targeted email attacks, as well as allowing an attacker to cancel or change bookings.
“Once logged in, an attacker can see details about the flight and all other passengers on the same booking,” Wueest wrote. “This includes full names and often email addresses, telephone numbers, frequent flyer numbers, postal addresses and, for intercontinental flights, passport details and dates of birth.”
He noted there has been increased concern over the security of passenger data such as PNR codes, with such data being visible, for instance, on boarding passes and luggage tags that users may share images of on social media.
He said he reported the issue to the operator involved, which fixed it.
“Fixing the security weaknesses of travel booking systems is no easy task as the global booking systems are heavily interconnected and dependent on each other,” he wrote, adding that the EU’s upcoming General Data Protection Regulation (GDPR) will soon compel businesses to put more effort into protecting customers’ data.
What do you know about outgoing President Barack Obama and his relationship with tech?Try our quiz!
Supreme Court clears X to resume access in Brazil, after high profile clash between top…
US Department of Justice mulls asking judge to force Google to sell parts of its…
US Supreme Court declines to hear appeal from X, formerly Twitter, over nondisclosure order attached…
US federal judge orders Google to undertake wide range of measures allowing third-party app stores…
Ukrainian hackers disrupt online services of Russian state broadcaster VGTRK on Vladimir Putin's birthday, amidst…
US federal judge says FTC and 18 states may proceed with landmark Amazon antitrust case,…