Amadeus booking system flaw discovered by security expert

Thursday 17 January 2019 10:01 CET | News

Hacker and activist Noam Rotem has discovered a booking system flaw for Amadeus, a company that has 44% of the international carriers’ market, according to SC Magazine.

Rotem found that “by simply changing the RULE_SOURCE_1_ID, we were able to view any passenger name record (PNR) and access the customer name and associated flight details”, according to security blog Safety Detective.

From there, the researchers could log into ELAL’s customer portal “and make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service.”

A hacker must know a PNR code to exploit the vulnerability, however ELAL sends the codes out through unencrypted email and that flyers are careless with them, often sharing them on social media, the online publication added.

The researchers, who developed a script to fix the problem, contacted ELAL to report the vulnerability and suggested the airline introduce captchas, passwords and a bot protection mechanism. Moreover, after reporting the vulnerability to Amadeus, the company wrote issued a statement saying the problem was resolved.

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: vulnerability, fraud prevention, cybersecurity, Amadeus, booking, password, encryption
Countries: World

Industry Events