Categories: Security

Airport Gate Screens ‘Exposes Personal Data’ Of Passengers

Passengers’ personal data was exposed via a public gate display due to poor security, according to a researcher, who said the incident reflects broader problems in the travel industry.

Symantec computer security researcher Candid Wueest said he was waiting to board a flight at an unnamed European airport when he noticed one of the displays showed a timed-out browser window.

Public-facing server

He opened the IP address displayed on his smartphone and found to his surprise it was available from the public Internet, he wrote in an advisory.

Moreover the server listed debug pages for each flight that listed database records including passengers on the standby list, including information such as their booking reference codes, also known as the passenger name record (PNR), Wueest said.

The travellers’ names were shortened to three to five characters, but full names would be easy to guess, he said.

“Anybody that knew about this publicly accessible server could view passenger PNR codes and guess the last names,” Wueest wrote.

Names and PNRs are usually all that are needed to access passenger bookings, which often contain detailed personal data that could be used for identity theft or targeted email attacks, as well as allowing an attacker to cancel or change bookings.

Booking access

“Once logged in, an attacker can see details about the flight and all other passengers on the same booking,” Wueest wrote. “This includes full names and often email addresses, telephone numbers, frequent flyer numbers, postal addresses and, for intercontinental flights, passport details and dates of birth.”

He noted there has been increased concern over the security of passenger data such as PNR codes, with such data being visible, for instance, on boarding passes and luggage tags that users may share images of on social media.

He said he reported the issue to the operator involved, which fixed it.

“Fixing the security weaknesses of travel booking systems is no easy task as the global booking systems are heavily interconnected and dependent on each other,” he wrote, adding that the EU’s upcoming General Data Protection Regulation (GDPR) will soon compel businesses to put more effort into protecting customers’ data.

What do you know about outgoing President Barack Obama and his relationship with tech?Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago