Potential attackers could view and change private information in flight bookings made by millions of customers of major international airlines because of a security issue in the Amadeus online booking system found by Safety Detective's Noam Rotem.

Currently, the Amadeus ticket booking system is being used by 141 international airlines which gives it control over 44% of the global online reservation market, with United Airlines, Lufthansa, and Air Canada being some of its clients.

As described by Safety Detective's research labs, the security bug was found when trying to book a flight on the EL AL airline, Israel's national carrier, which sent the security researchers "the following link to check our PNR: https://fly.elal.co.il/LOTS-OF-NUMBERS-HERE."

From there it was only a matter of changing the RULE_SOURCE_1_ID which allowed them to view any Passenger Name Record (PNR), giving them access to the passengers' names as well as to all associated flight details.

PNR codes sent in plain text and shared on social media

Using the customer name and the PNR code, the researchers were then able to successfully log into EL AL’s customer portal which allowed them to "make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service."

Options that could be changed for every flight (in Hebrew)

To make matters worse, EL AL sent PNR codes via unencrypted connections which can be easily swiped using man-in-the-middle attacks by bad actors.

Furthermore, Safety Detective's researchers also found that a lot of customers were actually sharing their PNR codes via social media accounts which made them easy targets to anyone knowing about the Amadeus security bug.

After running a small and non-threatening script to check for any brute-force protections, none of which were found, we were able to find PNRs of random customers, which included all of their personal information. We contacted ELAL immediately to point out the threat and prompt them to close the breach before it was discovered by anyone with malicious intentions.

In the notification sent to the EL AL Israeli airline, the researchers also provided a number of measures that should be taken to mitigate the vulnerability, starting with the introduction of captchas and passwords to replace the 6-character PNR codes, and ending with a protection algorithm against bots to block brute-force scripts like the one they used.

After contacting Amadeus regarding the security breach found in their online reservation system, the company issued the following statement:

At Amadeus, we give security the highest priority and are constantly monitoring and updating our systems. Our technical teams took immediate action and we can now confirm that the issue is solved. To further strengthen security, we have added a Recovery PTR to prevent a malicious user from accessing travelers’ personal information. We regret any inconvenience this situation might have caused.

You can find below a video demonstration of Safety Detective's brute-force script used to guess the random PNR codes. The script no longer works after Amadeus patched the security issue in their Central Reservations System (CSR).