Good grief. Everything but your social and mother’s maiden name. I wonder if other airlines are just as bad? Obviously big companies aren’t worried about data security.
Why would they be? If anything leaks, it’s not THEIR info getting leaked. It’s the peasants, and what billionaire gives a fuck about the peasants???
I mean…I’m being blunt, but not being absurd. This IS how they really think. I’m just saying the quiet part out loud.
I’m not familiar with the source and they probably have some critical findings but this reads like ai slop wrote it.
- Bad on Frontier. They are breaking both government and banking obligations, which could land them with significant fines or even end their contract with their payment processor.
- Bad on the researcher. This is not how you do responsible disclosure. It’s also not how you get paid for bug bounties.
If the organisation does not respond to the issue for over 100 days, then advising users of how insecure the system is, and that the organisation refuses to fix it, seems like a fairly responsible thing to do.
Yes. But he also disclosed HOW to abuse it. Which means everyone on the Internet now has access to all that information on everyone currently in Frontier’s system.
He could have just published the general type of exploit they were sitting on and notified their payment processor and the government with the details.
Instead he outlined to everyone how to access the information and what information was available, and how it could all be chained together.
they’ll have this cleaned up in no time, stuff like this happens frequently in cybersecurity. I guarantee you that now this has gone viral, they’ve probably secured the API on their end
Bug bounties? Guy started with how they reached out over 100 days ago. It’s also bringing to light how many APIs are also exposed as I call into question some stuff I use too.
I’m no expert, but having that data exposed is not using HTTPS then, right? Didn’t a bid for Frontier come from a public group after they filed for bankruptcy? Or maybe that’s Spirit, idc. Either way, not good, however, OP isn’t exposing the actual customer’s information, either.
It is using HTTPS, but all you need to get the full PII dump is a last name and calculable PNR number. No other authentication required.
you can transfer data over the internet securely (HTTPS) but still have access to their api and get data you shouldnt be able to get (as they’ve detailed)
Bug bounties because it appears communication went off the rails when he started asking them for money.
That’s why I said both players in this story are in the wrong. It’s a case study in how NOT to handle responsible disclosure.
