Link: Researchers say a bug let them add fake pilots to rosters used for TSA checks
A security flaw was found in the TSA system verifying airline crew identities at airports. Researchers Ian Carroll and Sam Curry exposed the breach that allowed unauthorized access by exploiting a simple SQL injection.
The vulnerability was in a third-party vendor’s website, FlyCASS, used by smaller airlines. Entering a single apostrophe in the login field triggered a MySQL error, indicating a security weakness.
By manipulating SQL queries, the researchers accessed FlyCASS as administrators, potentially enabling them to add fake crew members to the system.
No additional verification steps were in place to prevent unauthorized changes once access was gained. This flaw could permit unauthorized individuals to bypass airport security checkpoints.
TSA spokesperson R. Carter Langston responded to the allegations. He assured that multiple authentication methods are in place and only verified crew members gain entry to secure areas.
While the TSA refutes claims of inadequate security, the incident highlights critical vulnerabilities that could have serious implications for airline safety. #
--
Yoooo, this is a quick note on a link that made me go, WTF? Find all past links here.
Member discussion