Security Flaw Exposed Valid Airline Boarding PassesAmadeus Patches Check-In Software Used by Hundreds of Airlines
A vulnerability in global airline check-in software used by hundreds of airlines could have been exploited to allow users to view other individuals' boarding passes and personal details, warns incident response expert David Stubley
The vulnerability, which has now been patched, existed in travel software developed by Madrid-based Amadeus IT Group. The flaw was discovered by Stubley, who heads Edinburgh, Scotland-based security testing firm and consultancy 7 Elements.
"It was possible to download valid boarding passes - not belonging to the user - for future flights due to an insecure direct object reference weakness within the application," Stubley tells Information Security Media Group. "Insecure direct object reference or IDOR vulnerabilities occur when an application provides direct access to objects based on user-supplied input, bypassing expected authentication and user access controls."
Amadeus develops travel industry software used by 500 airlines - including United Airlines and Air Canada - as well as hotels, rail and cruise lines, tour operators and others.
"Amadeus recently became aware of a configuration flaw affecting its Altéa Self Service Check-In solution," a spokeswoman tells ISMG. "Our security teams took immediate action and the vulnerability is now fixed. We are not aware of there having been any further unauthorized access resulting from the vulnerability, beyond the activity of the security researcher. We regret any inconvenience this might cause to our customers."
Amadeus didn't immediately respond to request for further comment about how it tracks unauthorized access and whether it proactively monitors for this.
Stubley says he discovered the flaw in the Amadeus software last week while waiting at Birmingham Airport to board a Flybe flight home to Edinburgh. Noticing how the Amadeus web application's URL was structured, he began testing if it would allow him to change parameters and still get results.
- July 8: Stubley reports vulnerability to Flybe, which reports it to Amadeus on the same day.
- July 11: Vulnerability reported to Britain's Civil Aviation Authority. The same day, Flybe reports that Amadeus has received vulnerability notice and is "taking remediation action."
- July 15: Amadeus confirms fixes are in place.
- July 16: Security advisory published.
IDOR flaws are not rare, and at times have featured on the Open Web Application Security Project's top 10 list of the worst web application vulnerabilities.
"Insecure direct object references allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object," according to OWASP. "Such resources can be database entries belonging to other users, files in the system and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks."
Stubley says the flaw would have affected all of the approximately 500 airlines that use Amadeus software.
He's published a technical advisory containing more details, as well as a proof-of-concept demonstration showing "that due to a lack of authentication required for access to the resource as well as a lack of brute force protection, it was possible to automate an attack to enumerate supported airlines."
At Risk: Personally Identifiable Information
Stubley says the vulnerability put customers' personally identifiable information at risk because it provided unauthenticated access to valid boarding passes containing a customer's name and flight details, as well as their booking reference. "With that and the surname, it would be possible to gain access to the booking and further sensitive information such as contact details, including their mobile phone number," he says.
Having a valid boarding pass would allow users to enter restricted areas, such as domestic terminals, at airports serviced by airlines that use Amadeus software. But additional security controls should have prevented individuals from being able to use other people's boarding passes to gain access to an airplane.
"In terms of context, it's important to note that additional security controls at airports - such as ability to identify reuse of a boarding pass at security - would limit the impact of anyone gaining airside access," Stubley says. "However, not all airports use the same technology, so it's not an even playing field."
Takeaway: 'Trust But Verify'
One takeaway is that this particular problem isn't the fault of the airlines, Stubley says, but rather the software provider. The incident also demonstrates "the need to gain assurance over commercial off-the-shelf software applications, rather than blindly trusting as everyone else uses so it must be OK," he says. "As with most things in life, 'trust but verify' remains king."
This is not the first time flaws have been found in Amadeus software. In January, security researcher Noam Rotem reported finding an IDOR booking software vulnerability that exposed airline passenger name records, which is the bundle of personal and travel data that gets collected whenever someone books a flight.
Rotem, who works at the security firm Safety Detective, discovered that he could alter the booking reference number contained in a link to retrieve other passengers' details. He discovered the flaw while using airline El Al's website while booking his own flight. El Al uses Amadeus travel software.
Amadeus apologized for the flaw, said it had no evidence that the vulnerability had been abused to steal user data, and rapidly put a fix in place (see: Airline Booking System Exposed Passenger Details).
Legacy Software Risks
Global distribution systems such as Amadeus, Sabre and U.K.-based Travelport are decades old. Amadeus, for example, was originally created by a consortium of European airlines - Air France, Iberia, Lufthansa and SAS - in 1987 to connect their systems with travel agencies and consumers, and to provide an alternative to the Sabre system that was originally developed by American Airlines.
But security researchers have warned that the companies' legacy software can sometimes be built into web services without proper security controls - including access controls - being put in place (see: Sabre Says Stolen Credentials Led to Breach).