A UK-based hacker is working to warn major airlines of a vulnerability that allows access to sensitive information, but the companies he claims to have hacked say they have no evidence of a breach.
A hacker known as c0mrade, formerly of the hacking groups SpexSec and TeaMp0ison, posted a message on Pastebin Wednesday afternoon warning major airlines of the exploit.
C0mrade posted screenshots of systems he says were accessed by exploiting a vulnerability found while penetration testing airport networks. The screenshots show a dashboard using Sabre Airline Solutions software. Sabre is a computer reservation system used by many major airlines.
“We found an exploit which enabled the right for us to download all the attachments on the site. Amongst the things we found was an application system used for the airports. We tested the software for vulnerabilities. Pew! We got past the employee-log in,” he wrote in a statement warning the airlines. Among the networks he says were accessed are American Airlines, United Airlines, and Vietnam Airlines.
The hacker claims to have access to flight booking info, ticketing information, hotel booking, credit card information, airline employee information, and flight passenger information. C0mrade says he has been trying to contact airlines about the vulnerability.
The Vietnam Airlines Web site was inaccessible Wednesday afternoon.
He said he spoke to an American Airlines executive, according to a post on Twitter, but in an interview early Thursday morning he admitted that he couldn’t get past the customer service operator.
By e-mail, American Airlines spokesperson Ed Martelle said the company doesn’t comment on security matters. “Not sure who your source is but I’d double or triple check ‘em,” he wrote.
So far, other than the screenshots attached to his statement, there is little proof of c0mrade’s claims.
“Security is our top priority here and we take that very seriously. We looked into the matter and we have no indication that our system was breached,” Sabre Holdings spokesperson Nancy St. Pierre, said by phone Thursday.
“Obviously we'll continue to look into it. He may have identified a vulnerability in one of our customers’ desktop systems so he was able to browse the fields, but from what we looked at there is no indication that he breached our customers or our systems.”