Transport

Flight Booking System Exposes Boarding Pass Details

16 - 23 July 2019

An Insecure Direct Object Reference (IDOR) flaw in the Amadeus flight booking system
Cyber_News_Transport

An Insecure Direct Object Reference (IDOR) flaw in the Amadeus flight booking system is compromising travellers’ privacy by exposing their boarding pass details. IDOR occurs when an application provides direct access to objects based on user-supplied input, bypassing expected authentication and user access controls. The IDOR flaw in Amadeus’ ticketing system resides in the check-in URL, where an attacker can view the boarding pass of another user by changing the customer’s ID number in the URL. Amadeus’ ticketing system, which is used by 141 international airlines, has already issued a patch for the bug to prevent possible abuse.

 

References:

Insecure Direct Object Reference within Amadeus Check-in Application

More Weekly Cyber Newsanalysis and insights

Ensign Consulting

Enhancing your security posture, developing your cyber strategy, and designing your incident response plans.​

Ensign Systems Integration

Architecting and implementing cybersecurity solutions that bolster defences

Ensign Managed Security Services

Managing your security operations for advanced threat detection, continuous monitoring, and triage services

Ensign Labs

Performing deep research to analyse vulnerabilities, deploy advanced threat hunting and provide cyber threat intelligence