LASER_oneXM

Level 33
Verified
Potential attackers could view and change private information in flight bookings made by millions of customers of major international airlines because of a security issue in the Amadeus online booking system found by Safety Detective's Noam Rotem.

Currently, the Amadeus ticket booking system is being used by 141 international airlines which gives it control over 44% of the global online reservation market, with United Airlines, Lufthansa, and Air Canada being some of its clients.

As described by Safety Detective's research labs, the security bug was found when trying to book a flight on the EL AL airline, Israel's national carrier, which sent the security researchers "the following link to check our PNR: https://fly.elal.co.il/LOTS-OF-NUMBERS-HERE."

From there it was only a matter of changing the RULE_SOURCE_1_ID which allowed them to view any Passenger Name Record (PNR), giving them access to the passengers' names as well as to all associated flight details.