Vulnerability in Amadeus portal could allow hackers to steal air miles

A flaw in a flight booking system used by 141 airlines could allow an attacker to access users’ accounts, steal air miles, and modify reservation details.

Two issues discovered in the Amadeus customer portal, a booking system used by 44% of international carriers, could be combined to wreak havoc on a victim’s travel plans.

Passengers of airlines that use Amadeus receive a unique link once booking is complete, researcher Noam Rotem wrote in a blog post.

The URL contains the customer’s Passenger Name Record (PNR) and looks something like this: https://fly.elal.co.il/[PASSENGER-NAME-RECORD].

A hacker could simply change the parameter “RULE_SOURCE_1_ID”, replacing it with any PNR, to view the customer’s name and flight details.

By using these details to login to the airline’s customer portal, they would then have full access to the account, allowing them to cancel or change reservations, or siphon air miles to another account.

Rotem discovered this while booking flights through Israeli airline EL-AL, which uses Amadeus’ services.

He wrote: “With the PNR and customer name at our disposal, we were able to log into EL-AL’s customer portal and make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service.”

Rotem added: “Though the security breach requires knowledge of the PNR code, EL-AL sends these codes via unencrypted email, and many people even share them on Facebook or Instagram. But that’s just the tip of the iceberg.”

Indeed it was, since Rotem discovered that the Amadeus portal did not use any brute-force protection – allowing him to successfully obtain all active PNR numbers from airlines that use Amadeus.

Amadeus’ hundreds of clients include major carriers American Airlines, Lufthansa, and Air Canada.

Therefore he potentially had access to tens of millions of travelers, Rotem wrote.

The flaw has been fixed by Amadeus, which confirmed it has implemented added security measures.

It said in a statement: “At Amadeus, we give security the highest priority and are constantly monitoring and updating our systems. Our technical teams took immediate action and we can now confirm that the issue is solved.

“To further strengthen security, we have added a Recovery PTR to prevent a malicious user from accessing travelers’ personal information. We regret any inconvenience this situation might have caused.”

Even with added protection there is one other way that an attacker could access PNR numbers, thanks to an ill-thought-out social media trend.

That picture you took to brag about your holiday to the Bahamas? Best to leave the boarding pass out of it.

Posting a picture of any important document on the internet isn’t a great idea anyway, but in many cases the boarding pass also includes the traveler’s PNR number.