Many airlines allow passengers to view and make adjusts to flight details by using a unique identifier often called the booking reference, or passenger reference number, and the customers last name. 

Unfortunately, there are several airlines that have not implemented mechanisms that would prevent someone from obtaining the PNR through a brute force attack on an airlines' booking management system. 

This news comes from Ahmed El-fanagely of Egypt, who claims to have developed a tool that would enable an attacker to access a ransom passengers flight details using common last names and by brute-forcing the PNR, allowing the attacker to track certain passengers travels. 

An attacker could use this method to gain access to all kinds of sensitive information, such as passenger names, contact details, ticket data, itinerary, passport number, birth dates, and payment information. 

The researcher claims that the vulnerability impacts several major airlines in the Middle East and Europe, several of which have been contacted by El-fanagely, but all have asked him not to name them. 

Impacted airlines are currently using a booking management system from Amadeus, a provider of global distribution systems (GDS) servicing more than 200 airlines globally. Amadeus was also in hot water earlier this year after experts warned that Amadeus reservation systems used by hundreds of airlines globally exposed the details of millions of travelers due to an insecure direct object reference (IDOR) vulnerability and lack of brute-force protections. 

Improvements have since been made and protections to fight against brute-force attacks have been implemented, but these protections are only available to airlines that allow Amadeus to manage the booking system for them. Meaning any airline that elects to manage the booking systems themselves must also implement the protection systems themselves, putting the responsibility on the airline, many of which have apparently failed to do so. 

Amadeus commented on the vulnerability, claiming, "The airline websites where the booking pages are affected by this vulnerability are NOT managed by Amadeus, they are either managed by the airlines themselves or by other non-Amadeus providers. Where Amadeus manage the booking pages for airlines there are protections in place against brute force attacks."



The Most Powerful & Reliable Cybersecurity Products

change tracker gen7r2 logo

Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.

FAST Cloud logo

Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)

vulnerability tracker logo

Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

log tracker logo

Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds

Contact Us

Corporate Headquarters

6160 Warren Parkway, Suite 100
Frisco, Texas, 75034

Phone 1: 1-949-407-5125

Phone 2: 888-638-9749 (toll-free)

[email protected]

United Kingdom

5 New Street Square
London EC4A 3TW

Phone: +44 (0) 203 588 3023

 [email protected]
SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Now Certified IBM Security
Copyright 2023, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.