Reverse Engineering US Airline's PNR System and Accessing All Reservations

Posted by bearsyankees 12/19/2025

Reverse Engineering US Airline's PNR System and Accessing All Reservations(alexschapiro.com)

134 points | 63 comments

ISL 12/20/2025|

Avelo assists ICE daily with deporting people from the United States:

https://bsky.app/profile/jjindc.bsky.social/search?q=avelo

mattmaroon 12/20/2025||

Can’t load that but don’t they all? I can’t imagine any airline telling the federal government no.

ISL 12/22/2025|||

It is likely that many airlines accommodate people who are being deported as regular passengers on outbound international flights.

For movement of humans at industrial scale, though, there are only a few operators with ICE contracts. Avelo, GlobalX, Eastern, Key Lime Air, and Omni come immediately to mind. For international flights, there's at least one Learjet operator that flies a bunch for them, too.

These days, the aforementioned carriers fly 20-30 flights/day. Here are Saturday's flights (apologies for the sign-in wall, but lalabote keeps their account somewhat locked down): https://bsky.app/profile/lalabote.bsky.social/post/3mai6lach...

apical_dendrite 12/20/2025||||

I think Avelo is the only airline that participates. The rest are charter companies.

ISL 12/22/2025||

Key Lime Air operates daily airline flights as Denver Air Connection in addition to their charter work for ICE and others.

Scoundreller 12/20/2025|||

> Search is currently unavailable when logged out

Can you hook us up with some deep links?

ISL 12/22/2025||

Whoops -- was away from HN for a few days.

Here is JJ's account -- he is a prolific flight-tracker: https://bsky.app/profile/jjindc.bsky.social

Here is an Avelo flight moving through California right now: https://bsky.app/profile/jjindc.bsky.social/post/3malkyew432...

Here is an Avelo flight on the ground in Seattle on Saturday: https://bsky.app/profile/jjindc.bsky.social/post/3magxcnri32...

Avelo flies a number of flights each week for ICE.

dogemaster2032 12/20/2025|||

[flagged]

apical_dendrite 12/20/2025||

Enjoy your trip to Tweed New Haven Airport.

dogemaster2032 12/20/2025||

[dead]

thedrbrian 12/20/2025||

[flagged]

saikia81 12/20/2025||

good question. After reading his passionate plea for the immigrants, anyone would ask your question.

jbergler 12/19/2025||

The 6 hour claim is interesting, but I highly doubt Avelo (or any airline) would handle 100k requests/sec

If we consider that the real major's move about 400k-500k passengers/day, let's be really optimistic and say that they check their booking 6 times a day for the week before they fly. That's around 250 requests/sec.

Anyone know about the consumer facing tech stacks at airlines these days? Seems unlikely that they'd have databases that would auto scale 400x...

kiklion 12/19/2025||

I doubt their API would handle 100k requests per second. That math was roughly indictive of what the cost to send 100k requests per second would look like. He did mention that that was assuming the target didn't have rate limiting, either intentional or just pure limits of the hardware.

bronco21016 12/20/2025||

Cloud API gateway providers advertise ~10,000 rps.

I think more likely the API would be behind some kind of bot protection that would shut this down before any kind of technical rate limit is reached.

mtlynch 12/19/2025||

>The Avelo team was responsive, professional, and took the findings seriously throughout the disclosure process. They acknowledged the severity, worked quickly to remediate the issues, and maintained clear communication. This is a model example of how organizations should handle security disclosures.

Sounds like no bug bounty?

It's great if OP is happy with the outcome, but it's so infuriating that companies are allowed to leak everyone's data with zero accountability and rely on the kindness of security researchers to do free work to notify them.

I wish there was a law that assigned a dollar value to different types of PII leaks and fined the organization that amount with some percentage going to the whistleblower. So a security researcher could approach a vendor and say, "Hi! I discovered vulnerabilities in your system that would result in a $500k fine for you. For $400k, I'll disclose it to you privately, or you can turn me down and I'll receive $250k from your fines."

edent 12/19/2025||

> I wish there was a law that assigned a dollar value to different types of PII leaks

There is. It is called GDPR.

Plenty of companies have been fined for leaks like this.

Some countries also have whistleblower bounties but, as you might expect, there are some perverse incentives there.

mtlynch 12/19/2025|||

Yeah, as an American, I'm jealous of many aspects of GDPR. I really appreciate you blogging / tooting about experiences protecting your rights under GDPR. I wish we had 1/10th of the consumer privacy protections you have.

How does security research like this work out in practice, in the EU?

I read a lot of vulnerability writeups like this and don't recall seeing any where the author is European and gets a better outcome. Are security researchers actually compensated for this type of work in the EU?

advisedwang 12/19/2025||||

The GDPR (in art 32) only requires that "the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk". I expect it's quite common for a company to get hacked even if they meet that level. I think the parent comment was imagining that any leak is automatically fined, regardless of whether the company had met some security requirement.

samuria 12/20/2025||||

Does GDPR mandate a payout to the researcher after disclosure?

billy99k 12/19/2025|||

The GPDR makes it so small companies need to hire expensive lawyers to be compliant (and you still don't know for sure, based on the laws)

How about fining individual developers with poor coding practices?

immibis 12/20/2025|||

No it actually doesn't. It just needs someone in the company executive to not have their head up their ass, and read the law, which is fairly straightforward.

Also, it needs your company's business model to not be selling user data. That's why American companies find it hard to comply with.

matthewmacleod 12/19/2025|||

It does not mean this.

bossyTeacher 12/19/2025||

> it's so infuriating that companies are allowed to leak everyone's data with zero accountability and rely on the kindness of security researchers to do free work to notify them.

This is a matter for lawmakers and law enforcement. Campaign for it. Nothing will change otherwise

dboreham 12/19/2025||

Always consider rate limiting if you deploy a public endpoint. Always require authentication to perform resource-consuming and/or privacy leaking requests. (Requiring authentication makes rate limiting more practical since even a distributed attacker would need many credentials, which they probably don't have).

cake 12/20/2025|

Any tips on how to define the rate limits for a web app with moderate traffic? For logged and anonymous users?

didgetmaster 12/19/2025||

The lack of needing the last name might have allowed a hacker to brute force the whole list; but it seems that even with a last name, it could expose a lot of PII. Just pass codes along with popular last names (Smith, Jones, Nelson, etc.) and it seems like it could spit out a bunch of reservations.

miki123211 12/19/2025||

I'd go for wang, Li and Zhang instead, maybe also Patel and Nguyen. Asian countries have a much more skewed surname distribution.

morpheuskafka 12/20/2025|||

Yes, it's also an issue when someone posts their bag tag/boarding pass/booking email online.

But that's the "industry standard" for checking a reservation online. Requiring airline login doesn't work because of tickets issued by travel agents or other airlines.

codethief 12/20/2025||

Exactly, I came here to say this!

> This two-factor system is generally secure. The space of all 6-character alphanumeric confirmation codes combined with all possible last names is astronomically large, making it impossible to “guess” a valid pair.

Depending on the threat model, the attacker's goal might not be to guess a single pair but to access any valid pair (of a booking with a flight date in the future, or maybe even in the past). Suddenly you're looking at thousands of valid booking codes and the attacker can try a couple dozen of common names. Brute-forcing valid pairs then becomes relatively easy.

commandlinefan 12/19/2025||

> They were responsive, professional, and took the findings seriously, patching the issues promptly.

The "issue" is that they're returning the entire PNR dataset to the front-end in the first place. He doesn't detail how they fixed it, but there's no reason in the world that this entire dataset should be dumped into Javascript. I got into pretty heated arguments with folks about this at Travelocity and this shit is exactly why I was so adamant.

miki123211 12/19/2025||

Do we know what GDS Avelo is using? In other GDSes, is the confirmation code always sufficient to fully identify a booking? I was under the impression that PRLs could be re-used as long as the passenger surname was different.

The space of all possible PRLs is about 2 billion, I can imagine a really big Airline moving that many passengers.

rootsudo 12/19/2025||

They use a service of Sabre but not Sabre GDS. it’s called Radixx.

Yes in other GDS, it can be enough to identify a full booking. That’s why airlines prefer ticket or coupon number since the first two digits are the airline ticket stock / identifier and then fare codes, etc

The requiring last name, and more info is more or less security since any pss system can query the airline first for that combination before requiring more info to return a match.

lxgr 12/19/2025||

6 alphanumeric, case insensitive characters only allow for about 2 billion unique combinations. I’d have guessed there were more reservations made than that?

Or are PNR locators recycled after a while?

bleepblap 12/19/2025||

Yes, I've got in my drawer two physical boarding passes with the same PNR

aardvark179 12/19/2025||

Confirmation codes are not sufficient on their own, they cycle through them relatively quickly so they have to be combined with things like the passengers family name to actually identify the booking.

CtrlAltNerd 12/19/2025||

Great work, very impressive find.

RealSoyboyRoy 12/20/2025||

> I immediately disclosed this to the Avelo team. They were responsive, professional, and took the findings seriously, patching the issues promptly.

(emphasis my own)

Sorry but I strongly disagree with this phrasing. This is a company "serving over 6 million customers since its 2021 launch" (from Google) that took four weeks to patch an embarrassing security flaw, after being handed all the details on a silver platter.

Imagine a food chain serving a million meals a year was revealed to be storing their food products in unsanitary conditions, and it took them a full month to correct this. That story would make national headlines, not to mention they could get promptly shut down by any competent health ministry.

I think this attitude mostly reveals how complacent we've become about these """incidents""": we just expect this to happen, everywhere and all the time, then we just shrug and say "they fixed it within a month, how responsible of them".

More comments...