How I found that anyone with a boarding pass photo can pull full passport numbers, home addresses, children's dates of birth, credit card details, and Known Traveler Numbers for every passenger on a Frontier Airlines booking. Reported March 3rd. Still live 105 days later.
If the organisation does not respond to the issue for over 100 days, then advising users of how insecure the system is, and that the organisation refuses to fix it, seems like a fairly responsible thing to do.
Yes. But he also disclosed HOW to abuse it. Which means everyone on the Internet now has access to all that information on everyone currently in Frontier’s system.
He could have just published the general type of exploit they were sitting on and notified their payment processor and the government with the details.
Instead he outlined to everyone how to access the information and what information was available, and how it could all be chained together.
they’ll have this cleaned up in no time, stuff like this happens frequently in cybersecurity. I guarantee you that now this has gone viral, they’ve probably secured the API on their end