Many airlines allow passengers to view and make adjusts to flight details by using a unique identifier often called the booking reference, or passenger reference number, and the customers last name. 

Unfortunately, there are several airlines that have not implemented mechanisms that would prevent someone from obtaining the PNR through a brute force attack on an airlines' booking management system. 

This news comes from Ahmed El-fanagely of Egypt, who claims to have developed a tool that would enable an attacker to access a ransom passengers flight details using common last names and by brute-forcing the PNR, allowing the attacker to track certain passengers travels. 

An attacker could use this method to gain access to all kinds of sensitive information, such as passenger names, contact details, ticket data, itinerary, passport number, birth dates, and payment information. 

The researcher claims that the vulnerability impacts several major airlines in the Middle East and Europe, several of which have been contacted by El-fanagely, but all have asked him not to name them. 

Impacted airlines are currently using a booking management system from Amadeus, a provider of global distribution systems (GDS) servicing more than 200 airlines globally. Amadeus was also in hot water earlier this year after experts warned that Amadeus reservation systems used by hundreds of airlines globally exposed the details of millions of travelers due to an insecure direct object reference (IDOR) vulnerability and lack of brute-force protections. 

Improvements have since been made and protections to fight against brute-force attacks have been implemented, but these protections are only available to airlines that allow Amadeus to manage the booking system for them. Meaning any airline that elects to manage the booking systems themselves must also implement the protection systems themselves, putting the responsibility on the airline, many of which have apparently failed to do so. 

Amadeus commented on the vulnerability, claiming, "The airline websites where the booking pages are affected by this vulnerability are NOT managed by Amadeus, they are either managed by the airlines themselves or by other non-Amadeus providers. Where Amadeus manage the booking pages for airlines there are protections in place against brute force attacks."



NNT Suite of Products

change tracker gen7r2 logo

Combine industry leading Device Hardening, File Integrity Monitoring, Change Control, Configuration Management & Compliance Management into one easy to use solution that can scale to the most demanding environments!

fastcloud logo

Automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology) Integrity Assurance.

log tracker logo logo

Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds.

vulnerability tracker logo

Continuously scan and identify vulnerabilities with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

USA Offices
New Net Technologies LLC
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
1175 Peachtree St NE
Atlanta, Georgia, 30361.
4145 SW Watson, Suite 350
Beaverton, Oregon, 97005.

Tel: (844) 898-8358
email [email protected]
UK Office
New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire

Tel: 01582 287310
email [email protected]
CIS benchmarking SEWP Cybersecurity 500Sans Institute Now Certified
Copyright 2019, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.