Bob is a hacker. Just over three months ago, they found serious vulnerabilities in Frontier Airlines' API and website that would let anyone with a boarding pass code for a flight retrieve every passenger's personal information, including but not limited to home address, nearly all credit card info, full passport details, and even TSA PreCheck codes. The boarding pass code (called PNR) is written on the pass itself, or scannable via its barcode; plus, since it's only six digits, it's easy to loop through, something they replicated to find several passengers' full info.
Bob notified Frontier about the problem, but the company did very little to fix it; getting a hold of the aforementioned info now required the passenger's last name, also printed on the pass. So they published a post on their blog detailing several vulnerabilities in Frontier's website.
The security vulnerability is dead simple: all you have to do is take a peek at someone's boarding pass, and either note the number and the person's last name, or scan the associated barcode. Any of these is trivial with a phone. Then you feed that info into one of Frontier's mobile API endpoints, and presto, you'll get a reply back that includes every passenger's home address, e-mail, phone number, full date of birth, full passport data, almost the entire credit card info save for the 5 middle digits and the CVV, payment history, TSA PreCheck code, and more.
All of that info is usable for identity theft, stalking, or any other number of nefarious criminal activities. The TSA PreCheck code (Known Traveler Number) is particularly concerning for airlines, as it opens the possibility of an identity thief getting past security checks. As for the credit card number, since the first six numbers and last four are exposed along with the cardholder's name and expiration date, it's easy enough to guess the middle five digits, and then the CVV code at the back becomes the sole load-bearing security feature.
This is hardly the end of it, though. As Bob came to find, the booking management pages on Frontier's website (also reachable with just the booking number and a last name) equally expose personal information in their source code and/or API requests. Standard security practices dictate that easily-accessible pages like this use the principle of data minimization, retrieving and displaying the bare minimum until absolutely necessary.
Bob found that the "Manage My Booking" page clearly shows the name, e-mail, and phone number in the source code, while that of the "Passengers / Edit" page reveals each person's full name, country, date of birth, full passport info, and TSA PreCheck number again. Ironically, Frontier attempted a fix for the former issue, only to have the fixed version reveal more info than it originally did. These pages do obscure the data for display purposes, but it's right there in the source code and API calls.
The security expert originally reached out to Frontier on March 3 and followed up on March 9, attempting to follow the standard 90-day disclosure procedure. The company fixed the one vulnerability and sent Bob a model plane for their trouble. Bob followed up with the additional data-exposing issues and started a "compensation discussion" with the company. Frontier apparently flip-flopped on a proper response. Now, Bob says Frontier's critical vulnerabilities are still live and that Frontier's passengers "deserve better."
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
Source link
