A passenger on a flight found a bug that could have revealed passengers’ personal information, such as first and last names, emails, addresses, billing names, and credit card details. As per reports, the bug was patched the following day after the airline was alerted about it.
The unnamed passenger found this bug while getting bored on a 14-hour-long flight and boasted of acquiring access to millions of user accounts without needing any interaction upon exploiting the bug.
How it all began?
The passenger wanted to access the web using the airline’ Wi-Fi and decided to check the price. Upon realizing that the airline’s Wi-Fi provider offered a bug bounty program, they decided to check the security measures before entering their credit card details. The bug bounty program offers monetary rewards to find vulnerabilities as it allows timely patching, hence preventing possible hacking.
After creating a test account and browsing some pages online while being onboard, the individual noticed a request that contained their personal information, including the user_name field. This was the request:
GET /edge/apidecorator/v3/customer?data_types=PERSONAL,PMTINSTRUMENTS,GROUP_ATTRIBUTES
&requester=GOGO_INTERNET&tracking_id=uxdId-_A25AE4339A5309CCFA508534B9933
&user_name=testingz20221118213555&uxd_id=uxdId-__A25AE4339A5309CCFA508534 HTTP/1.1
Host: gbp.inflightinternet.com
Testing the breaching mechanism
They began testing usernames which gets difficult because of the time stamp, and then created another account using the username that had come up in the search. However, the new account worked and allowed them the option to switch from user_name format to email_address because that was in the response that showed up. They then tried customer_id seeing that those are integers to see if it also exposes data. Upon successful testing, they realized that it was enough to expose all the users by changing the customer ID numbers and increasing the damage caused by exploiting the vulnerability.
After this, they tested for other bugs by using their second account. The password change function used two requests including POST /edge/apidecorator/v2/customer/authenticate/ that validated the user’s auth. A PUT request to /edge/apidecorator/v2/customer/ showed the following results:
{“resetPassword”: {“password”: “password123!”},
“user”: “testingz20221118213555”,
“uxdId”: “uxdId-GET /edge/apidecorator/v3/customer?data_types=PERSONAL,PMTINSTRUMENTS,GROUP_ATTRIBUTES&requester=GOGO_INTERNET&tracking_id=uxdId-_A25AE4339A5309CCFA508534B99332B0_1668735922_0avmL6L5q&user_name=testingz20221118213555&uxd_id=uxdId-__A25AE4339A5309CCFA508534B99332B0_1668735922_0avmL6L5q HTTP/1.1__A25AE4339A5309CCFA508534B99332B0_1668735922_0avmL6L5q”}
The passenger also used a friend’s account to be sure the bugs were indeed exploitable and were proven to be positive. They contacted the Aviation ISAC, who then helped resolve the issue and offered patches for the vulnerability.
With the increase in global air travel growth, which is expected to grow by over 8.2 billion in 2037, it is of paramount importance to secure its systems and be in contact with vendor-provided services. According to research by Thales and Verint, aerospace is the fifth in line as the most cyberattacked sector.
