Reply to post:

'It's like they took a rug and covered it up': Flight booking web app used by scores of airlines still vuln to attack – claim

yoganmahew

A spokesdroid said:

"The airline industry relies on IATA standards that were introduced to improve efficiency and customer service on a global scale.

"Because the industry works on common industry standards, including the PNR, further improvements should include reviewing and changing some of the industry standards themselves, which will require industry collaboration"

IATA standards me hole.

There's nothing in IATA standards that says you have to spill unsolicited customer details (what other detail is being json'd out and just not displayed?).

The rest of the world's airlines will laugh Amadeus out of the room if they try and bring this up.

It sounds almost like some at Amadeus think API stands for api and not API ;)

(Advanced Passenger Information, security messages to states governed by IATA versus Application Programming Interface, a woefully inadequate way of outsourcing your security to the cheapest code chop-shop).

Once you get into the booking, you have access to all sorts of juicy personal data, some of it PII too, so it's not just GDPR for EU citizens that is in scope.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon