Skip to main content
  1. Home
  2. Computing
  3. News

Report says hackers have easy access to flight bookings due to legacy systems

By

Your flight itinerary for your next trip may be hacked. According to new research from SR Labs, the legacy systems for managing travel bookings are terribly insecure.

At the recent Chaos Communication Congress, a cybersecurity conference in Germany, two researchers from SR Labs showed how the three major global distribution systems (GDS) are not using secure authentication. GDS is a system used for managing travel reservations where data is shared among travel agencies, airlines, and the passengers. The top three GDS providers in the field are Sabre, Amadeus, and Travelport.

Recommended Videos

Researchers Karsten Nohl and Nemanja Nikodijevic claimed that malicious actors could infiltrate these booking systems to alter passenger information and even cancel bookings. Most worryingly, the researchers said that they didn’t need much effort to do it, just the passenger’s last name and the six-digit Passenger Name Record (PNR).

The main problem? The GDS systems simply haven’t been updated. SR Labs claims that many of the legacy systems are failing to properly authenticate passengers beyond the PNR number. To add insult to injury, this PNR number is frequently shared in customer emails and can even in some cases be found printed on your luggage tags.

“While the rest of the Internet is debating which second and third factors to use, GDSs do not offer a first authentication factor,” said SR Labs in its report. “Instead, the booking code (aka PNR Locator, a six-digit alphanumeric string such as 8EI29V) is used to access and change travelers’ information.”

Accessing a traveler’s account would allow a hacker to not only mess around with their flight arrangement but potentially obtain payment data or further information to carrying out phishing attacks.

“Global booking systems have pioneered many technologies including cloud computing. Now is the time to add security best practices that other cloud users have long taken for granted,” said SR Labs. “In the short-term, all websites that allow access to traveler records should require proper brute-force protection in the form of Captchas and retry limits per IP address.”

Topics
Jonathan Keane
Jonathan Keane
Former Digital Trends Contributor
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
What is HDMI 2.2? Everything you need to know
The rear of the Onn 4K Pro Streaming Device has a reset button, Ethernet port, HDMI port, USB-A port, and a barrel power connector.

Officially announced at CES 2025, HDMI 2.2 is the next-generation HDMI standard that promises to double available bandwidth for higher resolution and refresh rate support, and will require a new cable to support these new standards. It will also bring with it advanced features for improved audio and video syncing between devices.

But the new cable isn't coming until later this year, and there are no signs of TVs supporting the new standard yet. Here's everything you need to know about HDMI 2.2.
What can HDMI 2.2 do?
The standout feature of HDMI 2.2 is that is allows for up to double the bandwidth of existing Ultra High Speed HDMI cables using the HDMI 2.1 protocol. HDMI 2.2 is rated for up to 96 Gbps, opening up support for native 16K resolution support without compression, or native 4K 240Hz without compression. Throw DSC on and it should support monitors up to 4K 480Hz or 8K in excess of 120Hz.

Read more
ChatGPT now interprets photos better than an art critic and an investigator combined
OpenAI press image

ChatGPT's recent image generation capabilities have challenged our previous understing of AI-generated media. The recently announced GPT-4o model demonstrates noteworthy abilities of interpreting images with high accuracy and recreating them with viral effects, such as that inspired by Studio Ghibli. It even masters text in AI-generated images, which has previously been difficult for AI. And now, it is launching two new models capable of dissecting images for cues to gather far more information that might even fail a human glance.

OpenAI announced two new models earlier this week that take ChatGPT's thinking abilities up a notch. Its new o3 model, which OpenAI calls its "most powerful reasoning model" improves on the existing interpretation and perception abilities, getting better at "coding, math, science, visual perception, and more," the organization claims. Meanwhile, the o4-mini is a smaller and faster model for "cost-efficient reasoning" in the same avenues. The news follows OpenAI's recent launch of the GPT-4.1 class of models, which brings faster processing and deeper context.

Read more
Microsoft’s Copilot Vision AI is now free to use, but only for these 9 sites
Copilot Vision graphic.

After months of teasers, previews, and select rollouts, Microsoft's Copilot Vision is now available to try for all Edge users in the U.S. The flashy new AI tool is designed to watch your screen as you browse so you can ask it various questions about what you're doing and get useful context-appropriate responses. The main catch, however, is that it currently only works with nine websites.

For the most part, these nine websites seem like pretty random choices, too. We have Amazon, which makes sense, but also Geoguessr? I'm pretty sure the point of that site is to try and guess where you are on the map without any help. Anyway, the full site list is as follows:

Read more