Research from an Edinburgh-based cybersecurity firm, 7 Elements, has uncovered vulnerabilities in check-in software used by scores of airline operators.
The security vulnerability, research shows, could enable users to access and view other people’s boarding passes, along with other sensitive personal details. While the flaw has since been patched by Amadeus IT Group – the software creator – the flaw raises serious questions over boarding pass security.
Amadeus Group creates software for the travel sector, with its products used by around 500 airlines globally, including US travel giant United Airlines.
This particular flaw, known as an IDOR vulnerability (Insecure Direct Object Reference), was discovered by 7 Elements CEO David Stubley as he awaited a flight home from Birmingham to Edinburgh with Flybe. Both Amadeus and Flybe were informed of the vulnerability.
While waiting for his flight, Stubley began testing the structure of the Amadeus web application’s URL. In a proof of concept, Stubley commented: “It was possible to enumerate supported airlines of the Amadeus Check-in Application using the URL generated as part of an airline mobile application check-in process.”
This proof of concept shows, according to Stubley, that “due to a lack of authentication required for access to the resource as well as a lack of brute force protection, it was possible to automate an attack to enumerate supported airlines”.
In a technical advisory published by 7 Elements, Stubley said: “It was possible to download valid boarding passes (not belonging to the user) for future flights due to a weakness within the application (Insecure Direction Object Reference).
“Insecure Direct Object Reference or IDOR vulnerabilities occur when an application provides direct access to objects based on user-supplied input, bypassing expected authentication and user access controls.”
This IDOR flaw, combined with the ability to determine all airlines using the platform “makes this an issue that impacts Amadeus globally” and would likely impact all airlines using this platform, Stubley explained.
By downloading valid boarding passes, one could access customer names and flight details. These boarding passes also contain booking references and surnames, from which it would be possible to gain access to the booking and additional sensitive information such as mobile phone numbers and other personal details.
In a concerning twist, Stubley explained that an individual could even use a boarding pass to gain access to restricted areas of an airport terminal, such as the departure lounge – although this would only apply to airports used by the impacted airlines.
“While further ID checks should prohibit actual use of another users’ boarding pass to gain access to the flight, the boarding pass could provide access to airside within the departure terminal,” he said. “As such, malicious use of this issue could result in unauthorised access to all airports serviced by those airlines using the Amadeus platform.”
Stubley noted that additional security controls “may restrict” the successful use of a boarding pass that has already been used to gain access airside. However, “those controls are not uniformly deployed across all airports”.
This particular issue, he said, “highlights the importance” of gaining assurance that commercial off-the-shelf based solutions are “fit for purpose” and that airlines are not simply placing trust in the solution providers’ hands.
“As with most things in life, the old saying of ‘Trust but Verify’ is still king,” Stubley said.
7 Element also published a timeline of this research, which shows that remediation of the issue was completed by Amadeus on the 15th of July, several days after the initial advisory was sent by Stubley.
- Advisory sent – 8th July 2019 (to FlyBe), 10th July 2019 (to Amadeus)
- Requested confirmation that the advisory has been received by Amadeus – 11th July 2019
- Update and confirmation that Amadeus are taking remediation action (advised via FlyBe) – 11th July 2019
- Advised Civil Aviation Authority (CAA) on vulnerability -11th July 2019
- Requested update from Amadeus and provided notice to publish – 12th July 2019
- Remediation activity completed by Amadeus (based upon dates provided by FlyBe) – 15th July 2019
- Advisory published by 7 Elements – 16th July 2019