IT security researchers have uncovered a gap that allows hackers to take plane tickets from customers who booked and paid online, German media reported. The results spell big problems for passengers and airlines alike.
Millions of people book plane tickets online – it’s a relatively simple process made even easier with six-digit booking codes that allow customers to check-in, select seats, add a rental car or even change flight times.
Although the six-digit codes can help to ease travel stress for passengers, they are also security gaps that can be exploited by hackers, German media reported on Monday.
A new report from the German newspaper “Süddeutsche Zeitung” and public broadcaster WDR has uncovered how easy it is for hackers to gain access to booking codes, change customer information and steal a free flight.
Easy and illegal
Karsten Nohl, the founder and head of Security Research Labs (SR Labs), showed reporters from “Süddeutsche” and WDR how the process works – by stealing the reporters’ own plane tickets.
Computer programs are able to search for the six-digit booking codes in a matter of minutes. Hackers can then use the code to access the original customer’s booking and change the flight time and email address.
Easy online check-ins and Europe’s Schengen zone also mean that most European travelers rarely – if ever – have to show their passports while traveling in the passport-free area.
“Really everyone can manage to do it,” Nohl told “Süddeutsche” and WDR – even those without particularly advanced hacking skills can manage to steal a free flight.
“Booking systems lack a security feature that we know from all other computer systems – the password,” Nohl said.
Airline bookings do not require passengers to enter a password at any point in order to change personal information or to add a rental car – they simply identify themselves with the booking code and their name.
Privacy, security consequences
The security gaps in booking systems and codes present serious threats to travelers’ privacy and security issues as well.
“This is an industry-wide problem,” Nohl said in the reports, adding that a solution is only possible if all airline and booking service providers implement security changes such as changeable passwords.
Travel bookings are managed by a few systems which administer over 90 percent of flight reservations and other travel bookings, the SR Labs website said. These systems connect travel agencies, online booking sites, airlines and passengers – storing a massive data bank of flight and booking information.
Amadeus, one of the largest travel booking systems, is used by airlines such as Air Berlin and Lufthansa and served some 747 million passengers in 2015, the reports said.
When asked to comment on reports of security gaps, an Amadeus spokesman told WDR that a “temporary maintenance window” was to blame for hackers being able to briefly access dozens of booking codes.
Nohl and his colleagues, however, said that they were able to try out “several million combinations over several weeks.”