When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works .
Bob notified Frontier about the problem, but the company did very little to fix it; getting a hold of the aforementioned info now required the passenger's last name, also printed on the pass. So they published a post on their blog detailing several vulnerabilities in Frontier's website.
All of that info is usable for identity theft, stalking, or any other number of nefarious criminal activities. The TSA PreCheck code (Known Traveler Number) is particularly concerning for airlines, as it opens the possibility of an identity thief getting past security checks. As for the credit card number, since the first six numbers and last four are exposed along with the cardholder's name and expiration date, it's easy enough to guess the middle five digits, and then the CVV code at the back becomes the sole load-bearing security feature.
This is hardly the end of it, though. As Bob came to find, the booking management pages on Frontier's website (also reachable with just the booking number and a last name) equally expose personal information in their source code and/or API requests. Standard security practices dictate that easily-accessible pages like this use the principle of data minimization, retrieving and displaying the bare minimum until absolutely necessary.
Microsoft BitLocker-protected drives can now be opened with just some files on a USB stick
Microsoft's GitHub bans security researcher who posted zero-day Windows exploits because company ruined their life
Anthropic's latest AI model identifies 'thousands of zero-day vulnerabilities' in 'every major operating system and every major web browser'
Bob found that the "Manage My Booking" page clearly shows the name, e-mail, and phone number in the source code, while that of the "Passengers / Edit" page reveals each person's full name, country, date of birth, full passport info, and TSA PreCheck number again. Ironically, Frontier attempted a fix for the former issue, only to have the fixed version reveal more info than it originally did. These pages do obscure the data for display purposes, but it's right there in the source code and API calls.
The security expert originally reached out to Frontier on March 3 and followed up on March 9, attempting to follow the standard 90-day disclosure procedure. The company fixed the one vulnerability and sent Bob a model plane for their trouble. Bob followed up with the additional data-exposing issues and started a "compensation discussion" with the company. Frontier apparently flip-flopped on a proper response. Now, Bob says Frontier's critical vulnerabilities are still live and that Frontier's passengers "deserve better."
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/cyber-security/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/cyber-security/frontier-airlines-site-leaks-all-personal-info-with-just-a-glance-at-a-boarding-pass-researcher-claims-booking-number-and-last-name-nets-you-every-passengers-personal-info-including-address-passport-tsa-precheck-and-most-credit-card-info#main
- https://www.tomshardware.com/membership
- First official details of AMD's next-gen 'Mustang Peak' Threadripper CPUs come into view — chips feature DDR5, PCIe 6.0, and a new socket
- SMI's PCIe 6.0 SSD controller for consumer SSDs coming next year, but severe NAND shortages will get even worse in 2027 as AI data centers swallow supply — An i
- Save a whopping 62% on this 8-port multi-Gigabit 2.5G Ethernet switch in Amazon's Early Prime Day sale — upgrade your home network for just $49
- Kaspersky finds malware hidden in Steam Wallpaper Engine that hijacks accounts to spread itself — dozens of malicious packages downloaded tens of thousands of t
- Chinese memory brands ditch Samsung and Micron for homegrown CXMT and YMTC silicon — Corsair, HP, and Dell are already adopting the China-produced DDR5 chips
Informational only. No financial advice. Do your own research.