Passengers’ personal data was exposed via a public gate display due to poor security, according to a researcher, who said the incident reflects broader problems in the travel industry.
Symantec computer security researcher Candid Wueest said he was waiting to board a flight at an unnamed European airport when he noticed one of the displays showed a timed-out browser window.
He opened the IP address displayed on his smartphone and found to his surprise it was available from the public Internet, he wrote in an advisory.
Moreover the server listed debug pages for each flight that listed database records including passengers on the standby list, including information such as their booking reference codes, also known as the passenger name record (PNR), Wueest said.
The travellers’ names were shortened to three to five characters, but full names would be easy to guess, he said.
“Anybody that knew about this publicly accessible server could view passenger PNR codes and guess the last names,” Wueest wrote.
Names and PNRs are usually all that are needed to access passenger bookings, which often contain detailed personal data that could be used for identity theft or targeted email attacks, as well as allowing an attacker to cancel or change bookings.
“Once logged in, an attacker can see details about the flight and all other passengers on the same booking,” Wueest wrote. “This includes full names and often email addresses, telephone numbers, frequent flyer numbers, postal addresses and, for intercontinental flights, passport details and dates of birth.”
He noted there has been increased concern over the security of passenger data such as PNR codes, with such data being visible, for instance, on boarding passes and luggage tags that users may share images of on social media.
He said he reported the issue to the operator involved, which fixed it.
“Fixing the security weaknesses of travel booking systems is no easy task as the global booking systems are heavily interconnected and dependent on each other,” he wrote, adding that the EU’s upcoming General Data Protection Regulation (GDPR) will soon compel businesses to put more effort into protecting customers’ data.
What do you know about outgoing President Barack Obama and his relationship with tech?Try our quiz!
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…
New chapter for LastPass as it becomes an independent company to focus on cybersecurity, after…
US FCC seeks to ban Chinese telecom firms at centre of national security concerns from…
Two updates to Anthropic's AI chatbot Claude sees arrival of a new business-focused plan, as…
Most people in the United States view TikTok as a Chinese influence tool a poll…
