How I found that anyone with a boarding pass photo can pull full passport numbers, home addresses, children's dates of birth, credit card details, and Known Traveler Numbers for every passenger on a Frontier Airlines booking. Reported March 3rd. Still live 105 days later.
  • Em Adespoton@lemmy.caEnglish
    106·
    23 hours ago
    1. Bad on Frontier. They are breaking both government and banking obligations, which could land them with significant fines or even end their contract with their payment processor.
    2. Bad on the researcher. This is not how you do responsible disclosure. It’s also not how you get paid for bug bounties.
    • this_jury_is_hung@lemmy.worldEnglish
      22·
      22 hours ago

      If the organisation does not respond to the issue for over 100 days, then advising users of how insecure the system is, and that the organisation refuses to fix it, seems like a fairly responsible thing to do.

      • Em Adespoton@lemmy.caEnglish
        35·
        21 hours ago

        Yes. But he also disclosed HOW to abuse it. Which means everyone on the Internet now has access to all that information on everyone currently in Frontier’s system.

        He could have just published the general type of exploit they were sitting on and notified their payment processor and the government with the details.

        Instead he outlined to everyone how to access the information and what information was available, and how it could all be chained together.

        • big_slap@lemmy.worldEnglish
          4·
          21 hours ago

          they’ll have this cleaned up in no time, stuff like this happens frequently in cybersecurity. I guarantee you that now this has gone viral, they’ve probably secured the API on their end

    • unitedwithme@lemmy.todayEnglish
      131·
      23 hours ago

      Bug bounties? Guy started with how they reached out over 100 days ago. It’s also bringing to light how many APIs are also exposed as I call into question some stuff I use too.

      I’m no expert, but having that data exposed is not using HTTPS then, right? Didn’t a bid for Frontier come from a public group after they filed for bankruptcy? Or maybe that’s Spirit, idc. Either way, not good, however, OP isn’t exposing the actual customer’s information, either.

      • Godort@lemmy.caEnglish
        6·
        23 hours ago

        It is using HTTPS, but all you need to get the full PII dump is a last name and calculable PNR number. No other authentication required.

      • big_slap@lemmy.worldEnglish
        2·
        20 hours ago

        you can transfer data over the internet securely (HTTPS) but still have access to their api and get data you shouldnt be able to get (as they’ve detailed)

      • Em Adespoton@lemmy.caEnglish
        21·
        21 hours ago

        Bug bounties because it appears communication went off the rails when he started asking them for money.

        That’s why I said both players in this story are in the wrong. It’s a case study in how NOT to handle responsible disclosure.