Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Man hacked airline Web site to locate his lost luggage (boingboing.net)
42 points by navanchauhan on March 31, 2022 | hide | past | favorite | 14 comments


Basically, their web ui and underlying service both allow retrieving an itinerary if you have the PNR record locator (a string like "W862MY") and either a last name, or an email address. The api call is apparently returning the phone number and other data.

You can argue whether that's a good idea, but it doesn't appear to be a bug or mistake. It's by design.


1970s or 1980s design, pretty much all PNRs can be accessed by that, regardless of the air line.


I don't think it's old design myself. I think it's "how little can we require so that people don't call on the telephone or get in line at the airport?"

Any barrier you put in front of them increases support calls or slows down the check-in line.

Airline websites have logins, passwords, resets, and so on. They just don't want to make that a requirement to get a boarding pass, etc.


PNRs are not maintained by airlines themselves, they use GDS like Amadeus or Sabre to do that. They still go through mainframes.


>PNRs are not maintained by airlines themselves

This isn't correct. You can have a PNR in a GDS, but you don't have to. The airline has their own central reservation system with the authoritative PNR. The CRS may be provided by Sabre, Amadeus, etc, but it's not a GDS...that's separate.

>They still go through mainframes

Some have moved entirely off of TPF mainframes. Amadeus/Altea is one example.


Misleading title. He used his web browser. Equivalent is that we are all hacking HN to read this comment.


Seems like the phone number was not shown, but was transmitted to the browser. He did open developer tools, so according to the Missouri governor that's hacking: https://techcrunch.com/2021/10/15/f12-isnt-hacking-missouri-...

Ah, Boing Boing, I look back in shame that I used to think you were the coolest blog...


About which the airline said "(we are) reviewing this case in detail and would like to state that our IT processes are completely robust."


we've been here before, different skin same mechanics. only this is not a list of SSNs, this is a single phone number

someone uses a browser to request information from the server, and uses that information in the clear, to accomplish a normal goal.

i think the biggest concern is the potential shellgame with luggage this enables, is a security risk, to the prejudice of airline liability.


tldr: Two passengers had identical bags. Technically inclined passenger used the id number from other passenger's bag to get the other passengers phone number and exchange bags. Phone number was not visible on airline web site, he found it using browser dev console.

I'd hardly call that hacking, but then again my opinion often doesn't match up with what politicians and courts consider hacking.


Reminds of me of Tony Abbott getting hacked https://mango.pdf.zone/finding-former-australian-prime-minis...


Definitely worth a watch. You too can locate your lost luggage.

https://www.youtube.com/watch?v=CHPdxyJ_ooQ


Brave of him to admit in public he accessed another person's confidential information through hacking a website.


"CoMPleteLY RoBUST"!




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: