GoKawiilA hot potato: A security researcher has discovered serious vulnerabilities in Frontier Airlines' booking system. Using just two pieces of information printed on every boarding pass – a booking code and a last name – anyone can pull full passport numbers, home addresses, TSA PreCheck codes, and nearly complete credit card details from the airline's API. The vulnerabilities have been known for over three months.
If you've ever flown Frontier Airlines and your boarding pass ended up in a photo, a trash can, or a social media post, your personal data may be accessible to anyone right now.
A security researcher going by BobDaHacker published a detailed disclosure this week revealing that Frontier's mobile API and booking management pages expose the full personal records of every passenger on a reservation to anyone armed with a booking code and a last name.
Both are printed on every boarding pass, and both are encoded in the barcode. The researcher first reported the issues to Frontier on March 3. It is now June 18, 105 days later, and the critical vulnerabilities remain live.
The attack is straightforward. Frontier's mobile API endpoint accepts a six-character PNR (Passenger Name Record) and a last name, and returns a full internal booking object that includes, for every passenger on the reservation:
Full home address (street, city, state, ZIP)
Email address and phone number
Full date of birth, including for minors
Complete, unmasked passport number, issuing country, and expiration date
Known Traveler Number (TSA PreCheck identifier)
... continue reading