Bug in reservation system used by 140+ international airlines exposes passenger data and allows for manipulation

Originally published at: https://boingboing.net/2019/01/16/lots-of-numbers-here.html


I’m always complaining that I never have the monetary resources nor business opportunities to travel anywhere. But maybe as all my jet-setting friends are getting hacked, I’m actually lucky in that regard.


Oooh maybe someone could build a nice API now, so I can reliably get my vegeterian meal (non-dairy, all allergies, all religious dietary restrictions).


Cory, you gotta evaluate your sources. I’m pretty sure this entire story is a marketing scam, and also a good showcase of the hellish life of content marketers. I’ve been working in IT security product development for over 10 years, I’ve seen this shit from all sides.

The story is reported by Safety Detective, a page that apparently mostly offers three-sentence virus scanner reviews that are completely generic and could be written solely based on the websites of the scanners. They also “quote” reviews from 3rd parties to have more content, and affiliate links to the vendor websites. They offer some more pieces of quality journalism, such as the posts “10 Best (REALLY FREE) Antivirus for Mac in 2019”, “10 Best (REALLY FREE) Windows Antivirus Programs for 2019”, “10 best (REALLY FREE) Antivirus software in 2019”, “7 Best (TRULY) Online Free Virus Scanners – Updated for 2019”, “5 Best (REALLY FREE) Antivirus Programs for Android in 2019”, all posted on the blog on the same day, 12nd December, 2018, also littered with affiliate links, of course.

The site has an online “Vulnerability Tool” that seems to be a copy of the tool made by a company from Abbis Ababa, Ethiopia, called Zerorose, whose website and other online presence seems to be defunct since end of 2017, but luckily we have this charming video on Softpedia how it works. Its results are, of course, complete and total bullshit. It gathers some basic information from JavaScript about your OS and your browser, sends it to a PHP backend and displays the results, which is a list of generic entries from the Common Vulnerabilities and Exposures database. In my case, it just shows a bunch of entries for some random Linux tools I don’t even have installed. (Damn, Artifex Ghostscript 9.24 and 9.25 were pretty shit releases!) The OS and browser version & settings detectors are copy-pasted from GitHub. The remediation offered for each vulnerability is a link to the Google query for “update Linux”.

The team consists of Mercy Pilkington, Aviva Zacks and “Eric C”. According to LinkedIn, Mercy is the CEO of Author Options, a “fully personalized and personable company who will help you along the way with whatever service your book needs.” Aviva is a freelance content marketer and, with her husband, the co-founder of Writehook, a content marketer firm. None of them have any security-related content on the web outside Safety Detective whatsoever. I’ve never even heard of them nor Safety Detective even though my job description has included following IT security news and wooing security journalists for half a decade.

The vulnerability itself is a glorified write-up of the fact that you could try an airline booking number (the code you enter for online check-in) on El Al’s website without any rate limit, allowing the brute-force guessing of valid codes. Why and how it applies to all Amadeus customers is unknown.

This article seems to be the beginning of a new technique: their previous try was “Microsoft Account Takeover Vulnerability Affecting 400 Million Users”, on 11th December (one day before the antivirus-frenzy). That one seems a valid bug, too: a chain of problems in Microsoft’s authentication system that allows the attacker to craft links that could, in theory, be used for phishing, if the attacker can get the victim to click on them. The pattern is clearly visible: they hire an external freelance hacker to find them a vulnerability that they can then write up, promote and publish. It looks like this time they were lucky – or chose a better go-to-market strategy – as they got Techcrunch to report on the story, too.

It’s impossible to assess the true severity of these vulnerabilities at this point. They make sense and it’s perfectly possible that you could exploit them badly and wreak havoc. But there’s also a good chance that even though this first step was possible, other mechanisms prevented any large-scale exploitation. But these posts are so blatantly promoted by a content marketing machinery that I’d be extra careful about what I believe.


You joined the site just to say all that? :thinking:

Not disagreeing, but somebody will always be first with news. This was an actual hack, so why do we care who is first to report it?

Bugs like this are dime-a-dozen. Yeah, they’re lame and should be fixed, but every reasonably sized system and software will have something like this. El Al/Amadeus fixed the problem and we can’t know how serious it was in the end, nor whether it lead to any actual data loss.

Now, the source is not a publication run by experts or journalists rather a page full of low-quality clickbait written by professional marketers. They are not reporting on an independent finding rather publishing the result of the work of somebody who was specifically hired by them to come up with something like that. They’re heavily promoting the article.

It’s not that the bug wasn’t there. It’s just that it’s not a report about something important that happened rather a story that was manufactured from scratch precisely as a tool to drive traffic to them.

(I’ve been reading Boing Boing for well over 10 years, I was just too lazy to figure out my login, it was easier to just click on “join with Twitter”.)

This topic was automatically closed after 5 days. New replies are no longer allowed.