Hasty Briefsbeta

Reverse Engineering Major US Airline's PNR System and Accessing All Reservations

8 hours ago
https://alexschapiro.com/security/vulnerability/2025/11/20/avelo-airline-reservation-api-vulnerability
Copy Link
  • #Data Breach
  • #Brute-Force Attack
  • #API Security
  • Avelo Airlines had a critical API vulnerability allowing brute-force attacks to access passenger data.
  • The vulnerability was due to missing last name verification and lack of rate limiting on reservation endpoints.
  • A 6-hour brute-force attack could have downloaded all passenger records, including PII, Known Traveler Numbers, and payment data.
  • The researcher discovered the flaw on October 15, 2025, and Avelo Airlines responded quickly, patching the issue by November 13, 2025.
  • Exposed data included full passenger PII, government IDs, contact info, flight itineraries, and partial payment details.
  • The vulnerability could have allowed attackers to modify or cancel reservations, causing widespread disruption.
  • Key takeaways include the importance of multi-factor authentication, rate limiting, and proper session scoping for authentication cookies.
AboutLogin