(Forged) ticket to ride: Hacker claims he can fly for free using Passbook exploit

Apple Passbook exploit

A Greek hacker claims that he has found a way to generate free boarding passes that bypass airport security for any flight departing from a European airport using Apple’s virtual wallet app, Passbook. According to iTNews, 18-year-old Andrew Hariton plans to open up about the exploit in a presentation at the upcoming Hack in the Box security convention in Amsterdam on May 29.

“A computer and a smartphone is all that’s required for a method that puts to the test both physical and digital security,” Hariton writes in his Hack in the Box presentation abstract. “We will be using tools available to everyone to forge passes and look into methods of getting in the Security Restricted Area and even more importantly into the flight we desire.”

The alleged exploit lets users bypass the security protocols of ticket scanners used by airport staff before passengers board a flight. Normally those scanners check each boarding pass against the list of registered fliers. According to Hariton, however, the “malfunctioning” scanner software for EU airports does not have “direct access to the airliner database.”

Once he found a way in, Hariton said he could create boarding passes using Java and CSS in a web browser, which he could add to Passbook using the same interface developers use to send coupons and tickets to the app.

Hariton would not confirm or deny whether he has tested the exploit himself, though we’re willing to bet that he hasn’t, considering that an attempt to board a flight using a false ticket would likely result in his arrest.