Vulnerability in Amadeus booking system could allow anyone to access and alter travelers’ private information

• A vulnerability in Amadeus online booking system could allow anyone to access and modify travelers’ private information on flight bookings.
• The bug could further allow anyone to claim frequent flyer miles to a personal account, assign seats and meals, change customer’s contact details, cancel flight reservation.

Hacker and activist Noam Rotem, while booking a flight with Israel’s ELAL airline, came across a vulnerability in the reservation system. Rotem discovered the vulnerability to include 44% of the international carriers market potentially affecting millions of travelers. He noted that the vulnerability could allow anyone to access and alter travelers’ private information on flight reservations.

Findings from the analysis

Rotem along with Safety Detective analyzed the bug and found that by changing the RULE_SOURCE_1_ID, they were able to view any PNR and access flight bookings.

“By simply changing the RULE_SOURCE_1_ID, we were able to view any PNR and access the customer name and associated flight details,” Paul Kane of Safety Detective explained in a blog.

With the PNR and customer name, the researchers were able to log into ELAL’s customer portal and make changes, claim frequent flyer miles to a personal account, assign seats and meals, change customer’s contact details, and change/cancel flight reservation.

Researchers revealed that although a PNR code is required for an attacker to exploit the vulnerability, ELAL sends these codes via unencrypted email and travelers often share these codes on social media.

“After running a small and non-threatening script to check for any brute-force protections, none of which were found, we were able to find PNRs of random customers, which included all of their personal information,” Kane wrote.

Suggestions from researchers

• Researchers immediately reported the vulnerability to ELAL and suggested to fix the bug before anyone with malicious intentions discovers it.
• Researchers further suggested ELAL to remove the bug by introducing captchas, passwords, and a bot protection mechanism to avoid brute force attacks.

Upon learning about the threat, Amadeus resolved the issue and added a ‘Recovery PTR’ to prevent attackers from accessing travelers’ personal information.