The travel agencies have their own master logins into the GDSs and these accounts have very weak passwords. In one case the password was WS, which stands for web service, followed by the date when the login was created in DDMMYY format. This can easily be brute-forced and unfortunately it was one of the most complex travel agency passwords the researchers observed.
In addition to the obvious privacy violation that results from accessing someone else's booking data, attackers can abuse such access for their own gain. For example, they could add their frequent flier number to other people's long-haul flights in order gain the reward miles for themselves. The researchers said that they know for a fact that this technique is already being used.
Attackers could also cancel a flight and if the ticket is flexible, they could use the credit given by the airline to book a different ticket for themselves, the researchers said.
Knowledge of a person's exact traveling plans can also facilitate powerful phishing attacks. Imagine receiving an email from the airline you recently booked your flight with saying that the payment failed and you need to rebook by entering your credit card details again. Most people would probably comply with that request without checking if the email is authentic.
To top it all, there is no logging being done in the GDS databases. And since there's no logging, there's no way to tell who accessed a given record and how much abuse exists in these systems, the researchers said.
The ideal case would be for these systems to start requiring proper passwords for accessing individual PNRs, but that's a very long term goal because all the players in the ecosystem -- travel agencies, airlines, hotels, car rental companies, etc. -- would need to get on board with this change and move at the same pace, Nohl said.
"In the short term, at the very least we should expect websites that give access to travelers' personal information to have the bare minimum of web security, and this includes at the very least some rate limiting," the researcher said. "And until passwords and other security measures become common, I think we have a right to know who accesses our records and there must be some accountability, especially knowing how insecure these systems are today."
Sign up for Computerworld eNewsletters.