Noah Rotem got an intriguing error message from El Al's reservation system ("PNR: https://fly.elal.co.il/LOTS-OF-NUMBERS-HERE*) and by tugging at the loose thread it revealed, he was able to view any "Passenger Name Record" in El Al's system, allowing him to "make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer's email and phone number, which could then be used to cancel/change flight reservation via customer service."
The bug was not with El Al's system, but rather is a vulnerability in the Amadeus online booking service, which is used by nearly half of all carriers in the world — including more than 140 major international carriers.
PNR codes can be recovered in a variety of ways, including trawling social media for boarding-pass photos, but they are also easily guessable using a small, simple program.
What's more, Rotem found no anti-guessing/brute-force measures in place that prevents this attack.
Amadeus says it has now implemented countermeasures to prevent the attack, but it's not clear how well this will work.
"At Amadeus, we give security the highest priority and are constantly monitoring and updating our systems. Our technical teams took immediate action and we can now confirm that the issue is solved. To further strengthen security, we have added a Recovery PTR to prevent a malicious user from accessing travelers' personal information. We regret any inconvenience this situation might have caused."
Major Security Breach Discovered Affecting Nearly Half of All Airline Travelers Worldwide
[Paul Kane/Safety Detective]
(via Bleeping Computer)