Serving tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.
Why it matters: Security researchers have uncovered a major vulnerability that could have allowed anyone to bypass airport security and even access airplane cockpits. The flaw was found in the login system used by the Transportation Security Administration to verify airline crew members at checkpoints.
The story began in April when researchers Ian Carroll and Sam Curry were exploring a third-party website called FlyCASS. This vendor provides smaller airlines with access to the TSA's Known Crewmember (KCM) and Cockpit Access Security System (CASS) databases. While testing the site's login page, they noticed a telltale MySQL error appear after inserting an apostrophe – a classic sign of an SQL injection flaw.
For those unfamiliar, SQL injection is a technique in which malicious code is inserted into application queries to manipulate the backend database illicitly. In this case, the researchers realized FlyCASS was interpolating usernames directly into its SQL queries, making it vulnerable to exploitation.
By leveraging this flaw, the pair managed to log in as an admin for one airline. Once inside, they found no further security checks in place, essentially giving them free rein to create fake crew accounts, complete with employee numbers and photo IDs.
– Ian Carroll (@iangcarroll) August 29, 2024In April, @samwcyo and I discovered a way to bypass airport security via SQL injection in a database of crewmembers. Unfortunately, DHS ghosted us after we disclosed the issue, and the TSA attempted to cover up what we found.
Here is our writeup: https://t.co/g9orwwgoxt
Carrol added that anyone with "basic knowledge" of SQL injection could exploit the bug and gain access to the site.
Upon realizing the severity of the issue, Carroll and Curry reported it to the Department of Homeland Security on April 23. The TSA's parent agency confirmed the vulnerability was legitimate and had FlyCASS disconnected from federal databases on May 7 as a temporary measure.
Thankfully, the vulnerability was fixed soon after on FlyCASS.
However, the disclosure process encountered a setback when the DHS suddenly stopped responding to further coordination attempts. The researchers claim that the TSA press office issued "dangerously incorrect statements" about the vulnerability.
Meanwhile, TSA spokesperson R. Carter Langston stated that no government data or systems were compromised due to the vulnerability. He added that the agency does not rely solely on the database and has procedures in place "to verify the identity of crewmembers, and only verified crewmembers are permitted access to secure areas in airports."
Image credit: Matthew Turner