Security News Frontier Airlines API Exposes Passport, Credit Card, and Personal Data via Boarding Pass Information

[lokamoka820]

Content source

https://www.ghacks.net/2026/06/19/frontier-airlines-api-exposes-passport-credit-card-and-personal-data-via-boarding-pass-information/

A security researcher known as BobDaHacker has revealed significant vulnerabilities in Frontier Airlines' booking system. These flaws enable anyone with a six-character booking code, or PNR, and a passenger's last name, both visible on every Frontier boarding pass, to access full personal records.

This information includes passport numbers, partial credit card details, and home addresses, all available through the airline's mobile API.

The issues were first reported to Frontier on March 3, 2026. As of June 18, 105 days later, the vulnerabilities remain unpatched.

What the API Exposes​

Frontier's mobile API endpoint accepts a PNR and last name, then provides a full internal booking record for each passenger on the reservation.

The data available includes full home address details such as street, city, state, and ZIP code, as well as email address and phone number.

It also reveals complete date of birth information, including for minors, along with unmasked passport details like passport number, issuing country, and expiration date. Additionally, it exposes:

• The known Traveler Number, used for TSA PreCheck, and the
• The frontier Miles loyalty number. The credit card information includes the first six digits (BIN), the last four digits, the expiration date, the cardholder name, and the full billing address.
• The payment history data, complete with authorization codes, is also present.

 

[Halp2001]

The serious issue is that with just the PNR and the last name, the entire passenger profile can be accessed. In practice, the boarding pass ends up being as sensitive as an identity document.