back to article 'It's like they took a rug and covered it up': Flight booking web app used by scores of airlines still vuln to attack – claim

A security hole in a widely used airline reservation system remains open to exploit, allowing miscreants to edit strangers' travel details online, The Register has learned. A fix to close the vulnerability was incomplete, and thus ineffective, it is claimed. White hats at Safety Detective told us today the security flaw in …

  1. Doctor Syntax Silver badge

    "At Amadeus, we give security the highest priority and are constantly monitoring and updating all of our products and systems. We became alerted to an issue in one of our products and our technical teams took immediate action. We are working closely with our customers and we regret any disruption this situation may have caused,"

    Yet again you've let them get away with an anodyne statement. Did you ask how bad it would have been if they didn't give security the highest priority?

    The last sentence was puzzling until I realised their "customers" are the airlines, not those booking flights who obviously don't enter into the matter at all. Mustn't make life harder for airlines by making work (disruption) for them.

    1. elDog Silver badge

      "At Amadeus, we give security the highest priority..." blah-blah-blah

      You beat me to a similar comment.

      I would just say that the real goal is maximizing executive pay. While the customer (flying passenger) is just cattle, the airlines are just cattle haulers. The jerks with perks are the real priority.

    2. diodesign (Written by Reg staff) Silver badge

      "Yet again you've let them get away with an anodyne statement"

      We've just published a whole article accusing them of bungling a security patch. I think Reg readers are smart enough to see and appreciate the irony of a vendor claiming they take security seriously despite such findings. The juxtaposition is exquisite.

      If you think the statement makes them look good, rather than uncaring and dismissive, then you need to dial up the cynicism just a little.

      C.

      1. Doctor Syntax Silver badge

        Re: "Yet again you've let them get away with an anodyne statement"

        "If you think the statement makes them look good"

        We know it doesn't. But either (a) they think it does or (b) they know it doesn't but they don't care because they never get challenged to their faces so they and all the others will just do the same. They need to get taken to task.

        1. Michael Wojcik Silver badge

          Re: "Yet again you've let them get away with an anodyne statement"

          They need to get taken to task.

          I have to side with Chris and the Reg on this. They were pretty clearly taken to task in the article, and explicitly mocking the Amadeus response is unnecessary. Anyone capable of critical thought will see through it; anyone not capable won't profit from being told directly.

          1. Cpt Blue Bear

            Re: "Yet again you've let them get away with an anodyne statement"

            You are conflatng two separate issues.

            They have certainly been taken to task for their failure actually fix their crappy system.

            They were allowed to get away with issuing a statement that is plainly contradicted by their own actions. This is what we are complaining about.

    3. the Jim bloke Bronze badge

      The entire statement from the spokesperson was as rote and meaningless as "good morning" or "have a nice day", usually used when you just want the target to get out of your way and stop bothering you.

    4. Nattrash

      It never stops to amaze, these template, 1st marketing lesson replies. And since we're talking air travel and, connected to that, on line payments and stuff, it's infuriating to see confirmed once again that this all is clearly a one way street.

      Especially when you consider the discrepancy between how this is regarded/ handled, and the traveller:

      --- taking of all his/ her clothing before checkin "for your own security"

      --- getting in a machine scanning him/ her down to the pubs "to increase safety"

      --- doing the required (think banking/ payments) software updates on his/ her devices because else "they are not on the latest safety standards", hence outside liability.

      --- needs to finance (renewed) biometrics documents "to enhance security"

      --- needs to submit to constant monitoring and facial recognition "to secure your safety"

      --- oh, and do and pay all kinds of on line visa filling in, hoop jumping and purchasing "to reduce any burden and enhance your experience"

      Funny though, that while we're all dancing, we're never allowed to say something abut the tune...

      1. mr-slappy
        Joke

        --- getting in a machine scanning him/ her down to the pubs...

        Is nowhere safe from these nefarious machines? Can I not even have a quick pint at my local without being scanned?

    5. Mike 125

      yet again.

      >Yet again you've let them get away with an anodyne statement.

      Oh yea. Thanks. We all missed that.

      >Did you ask how bad it would have been if they didn't give security the highest priority?

      Goddamn, of course! That's gonna work. Why didn't anyone else think of it?

      This sort of ironic reaction from corporate suits surprises exactly nobody any more. It's a script and everybody knows it. But it still needs to be put out there, so there's a record of more 'just doing what everybody else does'. Eventually, maybe, these people will be held to account.

    6. yoganmahew

      A spokesdroid said:

      "The airline industry relies on IATA standards that were introduced to improve efficiency and customer service on a global scale.

      "Because the industry works on common industry standards, including the PNR, further improvements should include reviewing and changing some of the industry standards themselves, which will require industry collaboration"

      IATA standards me hole.

      There's nothing in IATA standards that says you have to spill unsolicited customer details (what other detail is being json'd out and just not displayed?).

      The rest of the world's airlines will laugh Amadeus out of the room if they try and bring this up.

      It sounds almost like some at Amadeus think API stands for api and not API ;)

      (Advanced Passenger Information, security messages to states governed by IATA versus Application Programming Interface, a woefully inadequate way of outsourcing your security to the cheapest code chop-shop).

      Once you get into the booking, you have access to all sorts of juicy personal data, some of it PII too, so it's not just GDPR for EU citizens that is in scope.

      1. EnviableOne Bronze badge

        The rest of the airleines will saty put as its to costly to change and the other systems SABRE et all are just as bad.

        Whille the largley pointless security is put in the airports (tell me if its actually caught anyone) the sales and reservation system is open to world and dog

  2. Toolman83

    GDPR much?

    Fines of 10M Euro or 2% of the company revenue might focus management's attention...

    someone should bring it to the attention of the regulator ASAP!

    1. Gordon 10 Silver badge
      Meh

      Re: GDPR much?

      Someone has to prove there was a leak first. A vulnerability is not a leak.

      1. Anonymous Coward
        Anonymous Coward

        Re: GDPR much?

        It is if the leak has been shown to happen - see the screenshot of real customers data in the article!

      2. yoganmahew

        Re: GDPR much?

        If they allow brute force (aren't checking for it), it supposes they aren't checking who is accessing their APIs. So they may have no idea whether it has been used...

      3. Anonymous Coward
        Anonymous Coward

        @Gordon 10: Re: GDPR much?

        Not this again. GDPR, amongst other things, requires you to take appropriate safeguards to protect data.

        It does NOT say you can do anything the hell you want as long as you don't actually suffer a leak.

    2. thecornflake

      Re: GDPR much?

      4% potentially (and that's of turnover not profit so for a company with a tight profit margin could quite easily put them out of business). And that would be the airlines liable for the fine because they're the data controller.

      I flew with 2 airlines last year, might check if either uses that system..

  3. aaaa

    and our technical teams took immediate action

    The much-maligned epithet "all businesses are IT businesses" actually has quite a lot of relevance.

    The phrase "and our technical teams took immediate action" shows just how out of touch senior management is.

    It would be as if the director of Boeing, criticised that his planes can't stay in the air replied "our technical teams are taking immediate action...".

    It's not your technical team that needs to take action, it's the whole company that needs to take action, starting with the board.

    1. Anonymous Coward
      Anonymous Coward

      Re: and our technical teams took immediate action

      It would be as if the director of Boeing, criticised that his planes can't stay in the air replied "our technical teams are taking immediate action...".

      Many would argue that Boeing's response to the Lion Air crash a while back is along those lines. Effectively, it was "Here's how to deal with a system that we didn't tell you about that has a fatal failure mechanism", ie they're not planning on fixing the real cause.

      1. Danny 14 Silver badge

        Re: and our technical teams took immediate action

        apart from the fact the air investigation is pointing squarely at the maintenance issues. The AOA autopilot on the MAX series is documented and a pilot course is available, airlines assume a new 737 is the same as thebold 737 and havent sent pilots on the course. Is this Boeings fault or the airline?

        1. Anonymous Coward
          Anonymous Coward

          Re: and our technical teams took immediate action

          It’s Boeing’s. The Max wasn’t documented at the time, and the course wasn’t available. The differences were only made apparent after the crash.

        2. Norman Nescio Silver badge

          Re: and our technical teams took immediate action

          apart from the fact the air investigation is pointing squarely at the maintenance issues. The AOA autopilot on the MAX series is documented and a pilot course is available, airlines assume a new 737 is the same as thebold 737 and havent sent pilots on the course. Is this Boeings fault or the airline?

          It's a little early to say in which direction the investigation is pointing. The Lion Air Cockpit Voice Recorder was only very recently recovered from 30 metres down, under 8 metres of mud and silt, and no analysis has been released yet. In the absence of the CVR it is only natural that the investigation would look at the things they do have access to - such a maintenance logs, aircrew training, and the contents of the recovered Flight Data Recorder. No mention has been made of any Quick Access Recorder - which is likely not to have not have survived as it is not designed to be 'crash survivable' or findable.

          (PPRuNe thread - CVR recovery is post #2085)

          Apparently well qualified commentators on the PPRuNe thread opine that Boeing have been less than forthright about MCAS. I am not qualified to have an opinion of any value, but I do know enough to listen to people with more expertise than me. While speculation is an interesting exercise, it is probably worth waiting for any forthcoming interim reports, and for the final report from the Indonesian National Transportation Agency (KNKT).

          I share your interest in the outcome, and I hope for all our sakes that the correct conclusions are reached in the final report so that air transport safety can be improved. This isn't about blame, but about improving the system so that loss of lives due to similar failings can be avoided in future. In some ways, a blame culture is antithetical to a safety culture*. I would not be surprised to find that many involved parties will find improvements that can be made - people often talk about 'the holes in the Swiss cheese lining up', meaning that many small failings, often in different areas, can combine to result in an incident. No one of them can be identified as the root cause of the problem, but it is incumbent upon every identified party to improve.

          NN

          *Air transport safety has been improved by the adoption of a 'just culture' rather than blame culture. There is an introductory article with decent references on SKYbrary: Just Culture, and a similar article from the rail industry regarding a 'no-blame culture' here: Assetivity(Asset Management Consultants): The Importance of a No-Blame Culture for Safety and Reliability Improvement .

    2. Crisp Silver badge

      Re: and our technical teams took immediate action

      They did take immediate action! They very quickly applied a sticking plaster to the gaping wound.

      Taking immediate action is not the same as fixing the bloody problem.

  4. jmch Silver badge

    Surprised about El Al

    The Israelis are usually paranoid about security, and in their case it is certainly real security as opposed to the security theater in the US and many 'western' states, so I'm surprised they wouldn't have fixed this properly when given the chance. Unless of course there's nothing they can do themselves because it's completely screwed up on Amadeus' side.

    1. This post has been deleted by a moderator

      1. LDS Silver badge

        "the Israelis are pretty good at physical security, much less so at cyber security."

        Are you sure?

      2. Mooseman Bronze badge

        Re: Surprised about El Al

        "most of their passengers are goyim, so only as important as their wallets"

        Care to post any more anti semitic stereotypes?

    2. Anonymous Coward
      Anonymous Coward

      Re: Surprised about El Al

      I was half expecting that sentence to read "El Al have been notified and Mossad paid

      an appropriately respectful visit to Amadeus' CEO sometime around 3AM."

  5. Anonymous Coward
    Anonymous Coward

    So I have the displeasure of working for British Scare-ways (BA) on their internal system that replicated the BA Amadeus data, to reduce cost, before they reduced the cost even more by outsourcing (axe-grind, grind, grind!).

    I'm not sure that it was a "web-based" system, looked rather like a (old) text command line driven system - you would issue text commands and then after you acknowledged it would reply with all the information and confirmation which could lead to security issues like this. For example to add a name element it would be "NM1SMITH/JOHN MR" etc.

    Most airlines seemed to just call these services (if you can call them that) from their web applications. We wrapped a lot of this up in SOAP web services, which was quite horrid.

  6. Will Godfrey Silver badge
    FAIL

    Am I surprised?

    No

  7. HieronymusBloggs Silver badge
    Facepalm

    What's the problem?

    Only those highly skilled hackers who can read HTML source code will be able to exploit this.

  8. phuzz Silver badge
    Thumb Up

    I thought the 'fix' to the brute forcing problem was going to be: "we put it on a really shitty server that can't serve more than 10 requests per second. Problem solved!"

  9. Stevie Silver badge

    Bah!

    Sounds like a job for ... Blockchain!

    Fire up the roof-mounted Blockchainsignal!

  10. JaitcH
    Unhappy

    All GDS (Global Distribution Systems) / CRS (Central Reservation System) Had Weak Security

    SABRE originally linked to Travel Agents through WANS which had extremely weak security. In fact, minor BAT file changes would allow an agent to look at other agent's traffic.

    A website operator in Toronto actually published how both SABRE and APOLLO could be broken (these were in the days when the term Hackers referred to telephone system rogues).

    Both SABRE and APOLLO commenced separate civil actions against the website in the The Superior Court of Ontario although neither resulted in judgements. These were American companies operating in Canadian courts whose practices are based, naturally, on the British legal system. There was a temporary injunction issued but practising Wack-A-Mole techniques another website was opened in the Far East and a continuing stream of information caused security precautions to be increased.

    National police / intelligent forces have full access to ask the data on all GDS (Global Distribution Systems) / CRS (Central Reservation System).

    Air is the worst transportation system to use to escape from the law - ask Nick Leeson or CHOY Hon Tim - both of Singapore!

  11. Anonymous Coward
    Anonymous Coward

    Problem solved?

    Remember the guy who found it was cheaper to change his name than get the airline to correct a mistake on his ticket.

    Would it now be cheaper to employ a (ethical) hacker to fix the booking error?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019