Post a comment on Instagram is not at all a good idea

        Post a comment on Instagram is not at all a good idea

From a simple boarding pass picture, it is possible to access the information of its owner and to modify them.

The name of the passenger, his place on the plane, his destination, his bank details or the account associated with refunds in case of cancellation ... This information is easily retrievable and above all, modifiable, from a simple photo posted on social networks . Cyber ​​security experts Karsten Nohl and Nemanja Nikodijevic shared the worrying discovery at the 33rd annual Chaos Communication Congress (CCC) on 27 December.

 According to researchers, the age of a reservation system common to airlines and travel agencies, through which pass billions of personal information without adequate computer security measures.

"The reservation systems lack a security device that we use on all other computer systems - that is, a password," Karsten Kohl told the Süddeutsche Zeitung. On many sites, just the passenger name and a booking code of only six characters to access particularly sensitive data.

A colossal database

Whatever the company or the travel agency, the air ticket goes through actors such as Amadeus, Saber and Travelport. All deal with a Global Distribution System (GDS), which manages the millions of reservations by associating each ticket with a customer record (containing the name, email address, Telephone, passport number or bank details of the buyer, as well as related information such as car or hotel bookings or loyalty programs). In 2015, Amadeus handled data for 747 million passengers on behalf of airlines such as Air France, Lufthansa or Iberia, as well as travel booking sites, according to the Suddeutsche Zeitung.

Created in the 1960s, GDSs have not been redesigned to meet current IT security requirements, while their databases retain and share sensitive client files with airlines or travel agencies. Their employees sometimes do not even need passwords to access them: they simply type in the name of a passenger. Even more serious, anyone can access a booking file with the name of a passenger and its six-character reservation code. This code is often written on boarding passes or baggage labels. Simply search Instagram and tag #boardingpass or the trash cans of an airport to find copies.

Without even moving or raking Instagram, a hacker can find the sesame. At Amadeus, for example, the numbers assigned follow one another in time, Nohl told Tageschau. At Saber, the first and last characters are systematically letters. Most importantly, many airline websites do not limit the number of queries sent, allowing you to automatically try all possible codes - until it works. A malicious person can then cancel a flight and use the available credit to pick a new one, where it will use its own identity to travel for free.

This practice, however, leaves traces. "To go unnoticed, simply change the name of the loyalty account to that of the victim, which is sometimes possible. Otherwise, we can very well create a new loyalty account. People are already engaging in this type of fraud, simply by collecting the identifiers on Instagram, "explains Karsten Nohl. The expert also points out that consultation of a file, for information purposes, remains invisible because the GDS reservation systems have logs for write access but not for read access.

A spokesman for Amadeus confirmed in Tageschau that a "temporary maintenance fault" had well filtered a dozen automatic queries in the past. Nohl's research team, however, claims to have tested two million different combinations. This allowed them to install an ARD reporter alongside MP Thomas Jarzombek.

"Since our study, some [GDS] have started to implement devices like captchas or a ceiling of queries per IP address," Karsten Nohl reassured at the conference. "Despite these responsible revelations, which we are doing right now, things do not seem to be moving towards a better system for now," he told Motherboard. By the year 2015, cyber security expert Brian Krebs had alerted the risk of throwing his boarding pass.