Many airlines allow passengers to view and make adjusts to flight details by using a unique identifier often called the booking reference, or passenger reference number, and the customers last name.
Unfortunately, there are several airlines that have not implemented mechanisms that would prevent someone from obtaining the PNR through a brute force attack on an airlines' booking management system.
This news comes from Ahmed El-fanagely of Egypt, who claims to have developed a tool that would enable an attacker to access a ransom passengers flight details using common last names and by brute-forcing the PNR, allowing the attacker to track certain passengers travels.
An attacker could use this method to gain access to all kinds of sensitive information, such as passenger names, contact details, ticket data, itinerary, passport number, birth dates, and payment information.
The researcher claims that the vulnerability impacts several major airlines in the Middle East and Europe, several of which have been contacted by El-fanagely, but all have asked him not to name them.
Impacted airlines are currently using a booking management system from Amadeus, a provider of global distribution systems (GDS) servicing more than 200 airlines globally. Amadeus was also in hot water earlier this year after experts warned that Amadeus reservation systems used by hundreds of airlines globally exposed the details of millions of travelers due to an insecure direct object reference (IDOR) vulnerability and lack of brute-force protections.
Improvements have since been made and protections to fight against brute-force attacks have been implemented, but these protections are only available to airlines that allow Amadeus to manage the booking system for them. Meaning any airline that elects to manage the booking systems themselves must also implement the protection systems themselves, putting the responsibility on the airline, many of which have apparently failed to do so.
Amadeus commented on the vulnerability, claiming, "The airline websites where the booking pages are affected by this vulnerability are NOT managed by Amadeus, they are either managed by the airlines themselves or by other non-Amadeus providers. Where Amadeus manage the booking pages for airlines there are protections in place against brute force attacks."