Stolen flights and more: booking systems’ insecurities

by Linas Kiguolis - -

These days many internet users post their flights, concerts, or even lottery tickets online. However, make sure you don’t do that. A plane ticket with the boarding pass posted online can lure someone to steal it! It is no surprise that people can joke with your ticket data.[1]

booking insecurities

Karsten Nohl and Nemanja Nikodijevic at the Chaos Communication Congress discussed this topic again.[2]

The easy booking becomes more and more popular and flight services providers constantly work in order to keep making bookings easier. Global Distribution Systems (GDS) are used to monitor flight availability, check seats, and are affiliated with Web services. However, the technology does not demonstrate best Web security practices.

When it comes to protection, today’s GDS is outdated and criminals could exploit its vulnerabilities.

The researcher focused on three main GDS from 20, which administer over 90% of flight, hotel, car or other bookings. The systems include Sabre (established 1960), Amadeus (established in 1987), and Galileo (today is known as the unit of Travelport).

As an example, AirBerlin and Lufthansa operate with Expedia and Amadeus, while American airlines use Sabre. As a result, if you purchase a ticket for American Airlines on Expedia your information is recorded by both, Amadeus and Sabre.

GDS’s database usually includes sensitive information: customer’s name, date of birth, passport information, phone number, flight ticket number, and payment information.

In order to access and change this information, GDS technology uses the passenger’s name as a login and six-digit booking code as password, which is printed on boarding passes.

K. Nohl announced at the conference:[2]

If the PNR is supposed to be a secure password, then it should be treated like one. But they don’t keep it a secret: It is printed on every piece of luggage. It used to be printed on boarding passes until it disappeared and they replaced it with a barcode.

Most of the travelers are not informed about the inner flight industry so they do not see anything wrong in publishing their tickets online with PNR, encrypted into a barcode. This barcode is easy to read with special software so if you posting your ticket online, basically anyone who has access to the photo can get access to your sensitive information.

As a result, no need to be a hacker or have special knowledge in order to exploit PNR vulnerabilities. So keep this in your mind when publishing pictures online.

We strongly advise you to not publish your tickets and boarding passes on social media because basically anybody can potentially use it for their benefits.

About the author

Linas Kiguolis
Linas Kiguolis - Senior IT developer

Linas Kiguolis is a senior IT developer and news editor at He has a major in Applied Computer Science because IT has been his passion for a very long time even before he went to college.

Contact Linas Kiguolis
About the company Esolutions


now online
Like us on Facebook