tldr: Two passengers had identical bags. Technically inclined passenger used the id number from other passenger's bag to get the other passengers phone number and exchange bags. Phone number was not visible on airline web site, he found it using browser dev console.
I'd hardly call that hacking, but then again my opinion often doesn't match up with what politicians and courts consider hacking.
Basically, their web ui and underlying service both allow retrieving an itinerary if you have the PNR record locator (a string like "W862MY") and either a last name, or an email address. The api call is apparently returning the phone number and other data.
You can argue whether that's a good idea, but it doesn't appear to be a bug or mistake. It's by design.
I don't think it's old design myself. I think it's "how little can we require so that people don't call on the telephone or get in line at the airport?"
Any barrier you put in front of them increases support calls or slows down the check-in line.
Airline websites have logins, passwords, resets, and so on. They just don't want to make that a requirement to get a boarding pass, etc.
This isn't correct. You can have a PNR in a GDS, but you don't have to. The airline has their own central reservation system with the authoritative PNR. The CRS may be provided by Sabre, Amadeus, etc, but it's not a GDS...that's separate.
>They still go through mainframes
Some have moved entirely off of TPF mainframes. Amadeus/Altea is one example.
14 comments
[ 3.1 ms ] story [ 45.9 ms ] threadI'd hardly call that hacking, but then again my opinion often doesn't match up with what politicians and courts consider hacking.
Ah, Boing Boing, I look back in shame that I used to think you were the coolest blog...
someone uses a browser to request information from the server, and uses that information in the clear, to accomplish a normal goal.
i think the biggest concern is the potential shellgame with luggage this enables, is a security risk, to the prejudice of airline liability.
You can argue whether that's a good idea, but it doesn't appear to be a bug or mistake. It's by design.
Any barrier you put in front of them increases support calls or slows down the check-in line.
Airline websites have logins, passwords, resets, and so on. They just don't want to make that a requirement to get a boarding pass, etc.
This isn't correct. You can have a PNR in a GDS, but you don't have to. The airline has their own central reservation system with the authoritative PNR. The CRS may be provided by Sabre, Amadeus, etc, but it's not a GDS...that's separate.
>They still go through mainframes
Some have moved entirely off of TPF mainframes. Amadeus/Altea is one example.
https://www.youtube.com/watch?v=CHPdxyJ_ooQ