A bug in the Amadeus online ticket booking system exposed passengers’ private data, allowing potential attackers to view and change information. According to the security researcher Noam Rotem at Safety Detective research labs, the security flaw could let anyone manipulate someone’s ticket reservation for any airline which has used the Amadeus reservation system.
Amadeus is one of the largest reservation systems that serves around 141 airlines including customers of British Airways, Air France, Icelandair, United Airlines, Lufthansa, Air Canada, and Qantas. The company provides searching, pricing, booking, ticketing, and other processing services to international travelers and travel agencies.
Rotem stated that he discovered the issue after receiving an error code from the ticketing system while booking. He said, he was able to view customers’ Passenger Name Records and change account details, assign seats and meals, and update the customer’s email and phone number by exploiting that code.
“After running a small and non-threatening script to check for any brute-force protections, none of which were found, we were able to find PNRs of random customers, which included all of their personal information. We contacted ELAL immediately to point out the threat and prompt them to close the breach before it was discovered by anyone with malicious intentions,” Safety Detective said in a post.
Amadeus fixed the vulnerability after Safety Detective reported the data leak. Confirming the same Amadeus stated, “At Amadeus, we give security the highest priority and are constantly monitoring and updating our systems. Our technical teams took immediate action and we can now confirm that the issue is solved. To further strengthen security, we have added a Recovery PTR to prevent a malicious user from accessing travelers’ personal information. We regret any inconvenience this situation might have caused,”
In a similar incident, the Singapore Airlines (SIA) services recently reported that a software glitch possibly exposed personal information of 285 members who used its services. The Singapore flag carrier stated that a bug in its website caused a data leakage of KrisFlyer, a regular flyer program of Singapore Airlines. The bug exposed KrisFlyer customers’ personal information, including the member’s full name, email address, membership tier, account number, the accumulated miles/rewards, travel history, passport, and flight information.