How I found that anyone with a boarding pass photo can pull full passport numbers, home addresses, children's dates of birth, credit card details, and Known Traveler Numbers for every passenger on a Frontier Airlines booking. Reported March 3rd. Still live 105 days later.
Bug bounties? Guy started with how they reached out over 100 days ago. It’s also bringing to light how many APIs are also exposed as I call into question some stuff I use too.
I’m no expert, but having that data exposed is not using HTTPS then, right? Didn’t a bid for Frontier come from a public group after they filed for bankruptcy? Or maybe that’s Spirit, idc. Either way, not good, however, OP isn’t exposing the actual customer’s information, either.
It is using HTTPS, but all you need to get the full PII dump is a last name and calculable PNR number. No other authentication required.
you can transfer data over the internet securely (HTTPS) but still have access to their api and get data you shouldnt be able to get (as they’ve detailed)
Bug bounties because it appears communication went off the rails when he started asking them for money.
That’s why I said both players in this story are in the wrong. It’s a case study in how NOT to handle responsible disclosure.