Noah Rotem got an intriguing error message from El Al's reservation system ("PNR: https://fly.elal.co.il/LOTS-OF-NUMBERS-HERE*) and by tugging at the loose thread it revealed, he was able to view any "Passenger Name Record" in El Al's system, allowing him to "make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service."
The bug was not with El Al's system, but rather is a vulnerability in the Amadeus online booking service, which is used by nearly half of all carriers in the world -- including more than 140 major international carriers.
PNR codes can be recovered in a variety of ways, including trawling social media for boarding-pass photos, but they are also easily guessable using a small, simple program.
What's more, Rotem found no anti-guessing/brute-force measures in place that prevents this attack.
Amadeus says it has now implemented countermeasures to prevent the attack, but it's not clear how well this will work.
“At Amadeus, we give security the highest priority and are constantly monitoring and updating our systems. Our technical teams took immediate action and we can now confirm that the issue is solved. To further strengthen security, we have added a Recovery PTR to prevent a malicious user from accessing travelers’ personal information. We regret any inconvenience this situation might have caused.”
Major Security Breach Discovered Affecting Nearly Half of All Airline Travelers Worldwide
[Paul Kane/Safety Detective]
(via Bleeping Computer)
The Internet of Dongs is Brad Haines's term for the world of internet-connected, "teledildonic" sex toys, and Haines, along with Sarah Jamie Lewis, have exhaustively documented all the ways in which internet-connected sex toys can screw you, from leaking private data to physically attacking your junk.
The NSO Group is an Israeli firm that has long marketed itself as a “cyber warfare” company, selling mobile surveillance technology to governments that include notoriously corrupt human rights abusers. One of these is Mexico, where NSO spyware played a key role in targeting teachers and journalists, and missing students. On Thursday, NSO Group announced […]
That massive Equifax data breach on September 7, 2017, shocked everyone, but a year and a half later, where the data of all those 143 million Equifax users ended up is still a mystery.
Breaking into the indie video game market may be easier than you think. It all starts with an idea, and then it’s a matter of finding the right development platform to bring it to life. No matter what that platform is, it’s a good bet that it’s covered in the 2019 Game Dev & Design […]
Learning a new language like Spanish doesn’t have to be hard. Either you can buy a ticket to a Spanish-speaking country, immerse yourself in the culture and pick it up intuitively – or you can do it from the comfort of the chair you’re in right now by logging on to Rocket Spanish. There are […]
When it comes to Valentine’s Day gestures, we encourage you to make the date your own. But we’ve got to admit, you can’t beat the classic appeal of a well-picked, perfectly arranged bouquet of roses. And whether you need them delivered at home or to a long-distance lover, the best call is Teleflora’s Valentine’s Day […]