January 10, 2017
While waiting for my flight to begin boarding at a European airport recently, I noticed that one of the screens at the gate showed a timed-out web browser window. Being curious and more than a little bored, I opened the IP address displayed on the screen on my smartphone expecting it to be unreachable from the internet. However, to my surprise I was greeted by the familiar screen used to announce information about the next flight leaving a particular gate. The website also had a full listing of all gates operated by the airline across a handful of airports.
While knowing which flights are about to leave from which gate is useful, it’s no big secret. This information can be viewed by anyone on the airport’s departure page as well as through a multitude of smartphone apps. What was worrying was that I also found debug information containing data which could be used to hack into passenger accounts.
Debug information reveals passenger name records
On the public-facing server there was one page that immediately caught my eye. For each gate, there was a debug page available. The page listed all database fields with information available about the next flight. One of the queried tables was for passengers on the standby list. Various information about these passengers was listed including their complete booking reference codes, also known as passenger name record (PNR) locators. These six-digit alphanumeric codes, used in the databases of airline computer reservation systems (CRS), are a vital part of every travel booking.
Most airlines treat the PNR code as an authentication token that acts like a password, a password that is unfortunately widely shared in cleartext. Having this code and the last name of the traveler is all that is needed to access passenger bookings.
In this particular case the last names were shortened to three-to-five characters, probably in order to provide some privacy when displayed on the official screen. However, guessing a last name when you already have up to five characters could be relatively easy. And for common short names such as Koch, Beck, or West, no guessing is necessary as the full name is revealed completely.
Consequently, anybody that knew about this publicly accessible server could view passenger PNR codes and guess the last names. If a criminal got their hands on this information it could seriously ruin someone’s holiday.