Noah Rotem got an intriguing error message from El Al's reservation system ("PNR: https://fly.elal.co.il/LOTS-OF-NUMBERS-HERE*) and by tugging at the loose thread it revealed, he was able to view any "Passenger Name Record" in El Al's system, allowing him to "make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service."
The bug was not with El Al's system, but rather is a vulnerability in the Amadeus online booking service, which is used by nearly half of all carriers in the world -- including more than 140 major international carriers.
PNR codes can be recovered in a variety of ways, including trawling social media for boarding-pass photos, but they are also easily guessable using a small, simple program.
What's more, Rotem found no anti-guessing/brute-force measures in place that prevents this attack.
Amadeus says it has now implemented countermeasures to prevent the attack, but it's not clear how well this will work.
“At Amadeus, we give security the highest priority and are constantly monitoring and updating our systems. Our technical teams took immediate action and we can now confirm that the issue is solved. To further strengthen security, we have added a Recovery PTR to prevent a malicious user from accessing travelers’ personal information. We regret any inconvenience this situation might have caused.”
Major Security Breach Discovered Affecting Nearly Half of All Airline Travelers Worldwide
[Paul Kane/Safety Detective]
(via Bleeping Computer)
Hackers working for China’s government targeted firms working on coronavirus vaccines, and stole hundreds of millions of dollars worth of intellectual property and trade secrets, claims the Justice Department in a statement Tuesday announcing criminal charges.
This is quite a major hack. Now is a good time to change your Twitter password, if you are a user. Hackers pumping a cryptocurrency giveaway scam appear to have compromised the Twitter accounts of leading exchanges, prominent individuals, major corporations, and at least one news organization.
The mobile phones of a number of politicians in Spain, including the president of Catalonia’s parliament, were recently hacked. The government of Spain has been an NSO customer since 2015, reports Motherboard on Tuesday. NSO Group is an Israeli company that sells surveillance and hacking tools to governments around the world.
If you want to understand what it takes to keep a company’s computer network happy and healthy in the cloud, the training found in The Complete AWS eBook and Video Course Bundle can go a long way toward making sure you know the ins and outs of the AWS environment. This bundle brings together five […]
Part of the reason WordPress is the undisputed king of website creation is its open-source framework, allowing anyone to create plugins offering levels of functionality to WordPress sites that were unprecedented. So where do you find all the great ideas that are pushing WordPress forward? You can sample a heaping spoonful of that innovation with […]
If you’re a photographer, videographer, or graphic designer, you’ve got a lot of competition charging up behind you. Because while you’ve been trained as a content creator, the task of snapping brilliant images, capturing well-composed video, and posting effective social media is now part of literally everyone’s skill set. For years, Adobe and their ubiquitous […]