Unauthenticated flaw within global airline check-in provider Amadeus

A recently patched unauthenticated flaw within global airline check-in provider Amadeus allowed individuals to download boarding passes belonging to other travers’ that were valid for future flights and gain access to travellers personal information. In a recent technical advisory, 7 Elements discovered that it was possible to download valid boarding passes (not belonging to the user) for future flights that impacted all airlines using the Amadeus Check-in platform. This was due to a weakness within the application known as an IDOR vulnerability (Insecure Direct Object Reference). See OWASP for more background on IDOR. 

Impact: PII – Downloading of valid boarding passes discloses customer names and flight details. The boarding pass also contains the booking reference. With that and the surname it would be possible to gain access to the booking and further sensitive information such as contact details (mobile phone etc). 

Access to Restricted Areas – While further ID checks should prohibit actual use of another users boarding pass to gain access to the flight. The boarding pass could provide access to airside within the departure terminal. As such, malicious use of this issue could result in unauthorised access to all airports serviced by those airlines using the Amadeus platform. It should be noted that additional security controls may restrict the successful use of a boarding pass that has already been used to gain access airside. However, those controls are not uniformly deployed across all airports. 

David Stubley was quoted as saying: “The IDOR vulnerability combined with the ability to identify all airlines using the platform, makes this an issue that impacts Amadeus globally and impacted all airlines utilising the platform. The issue also highlights the importance of gaining assurance that commercial off-the-shelf (COTS) based solutions are fit for purpose and not placing trust in the solution providers hands. As with most things in life, the old saying of ‘Trust but Verify’ is still king.” 

A full technical explanation can be found on the below links: 

• https://www.7elements.co.uk/resources/technical-advisories/insecure-direct-object-reference-within-amadeus-check-in- application 
• https://www.7elements.co.uk/resources/technical-advisories/airline-enumeration-within-amadeus-check-application 
• https://www.7elements.co.uk/resources/blog/i-know-what-you-did-this-summer