Amadeus - major vulnerability found (now fixed)

[AisleSeat]

Hacker and Activist Noam Rotem, working with Safety Detective research lab, was shocked when he recently discovered a major vulnerability affecting nearly half of all airlines worldwide.

While booking a flight with Israeli national carrier ELAL, he came across a significant security breach that allows anyone to access and change private information on flight bookings.

The same breach was then discovered to include 44% of the international carriers market, potentially affecting tens of millions of travelers.

They contacted Amadeus, who have fixed this issue.

Major Security Breach Discovered Affecting Nearly Half of All Airline Travelers Worldwide | Safety Detective

 

[Pushka]

Hacker and Activist Noam Rotem, working with Safety Detective research lab, was shocked when he recently discovered a major vulnerability affecting nearly half of all airlines worldwide.

While booking a flight with Israeli national carrier ELAL, he came across a significant security breach that allows anyone to access and change private information on flight bookings.

The same breach was then discovered to include 44% of the international carriers market, potentially affecting tens of millions of travelers.

They contacted Amadeus, who have fixed this issue.

Major Security Breach Discovered Affecting Nearly Half of All Airline Travelers Worldwide | Safety Detective

Wow. This is why they should employ the best hackers to do their best to find out holes. El Al of all airlines too!

 

[serfty]

All Amadeus airlines were affected, including QF.

It was just when booking with El Al the authors came across it.

 

[Pushka]

All Amadeus airlines were affected, including QF.

It was just when booking with El Al the authors came across it.

Yes, but that’s the last airline you’d expect to be able to exploit from their own systems. You’d think they would have checked Amadeus out!

 

[serfty]

Yes, but that’s the last airline you’d expect to be able to exploit from their own systems. You’d think they would have checked Amadeus out!

You could do it for Qantas bookings as well ... or BA or MH or LH ...any Amadeus airline.

 

[Pushka]

You could do it for Qantas bookings as well ... or BA or MH or LH ...any Amadeus airline.

Yes but I would have thought El Al would have thoroughly tested the system out themselves.

 

[serfty]

Yes but I would have thought El Al would have thoroughly tested the system out themselves.

Why? It was Amadeus' responsibility.

 

[Pushka]

Why? It was Amadeus' responsibility.

It surprises me that an airline like El Al which has obvious security issues and scrutinises every passenger did not test the Amadeus system themselves for vulnerabilities. It’s irrelevant that it was Amadeus responsibility. I’d expect El Al to have their own checking process before using Amadeus systems.

 

[serfty]

Do you know what the vulnerability was? Simple accessing of a booking using just the PNR.

You could generate any random 6 alphanumeric characters and it it matched any existing Amadues PNR then you could access the booking. It did not matter which airline.

 

[33kft]

Well it looks like the key was that they were able to fetch the booking name for the PNR without having to authenticate themselves (which generally requires providing the booking surname). So I would say that is more the vulnerability, as once you have those 2 details you can quite legitimately plug them into a "manage my booking" page and go to town cancelling people's flights

Ultimately it was the unauthenticated leak of certain data for the generated PNR, which just happened to be the same data needed for full access to the booking details which let them in.

 

[oz_mark]

It surprises me that an airline like El Al which has obvious security issues and scrutinises every passenger did not test the Amadeus system themselves for vulnerabilities. It’s irrelevant that it was Amadeus responsibility. I’d expect El Al to have their own checking process before using Amadeus systems.

They may well have, but that doesn't mean they would find everything. It's all a constant battle.