Researchers say a bug let them add fake pilots to rosters used for TSA checks

2 months ago 33

A brace of information researchers accidental they discovered a vulnerability successful login systems for records that the Transportation Security Administration (TSA) uses to verify hose unit members astatine airdrome information checkpoints. The bug fto anyone with a “basic cognition of SQL injection” adhd themselves to hose rosters, perchance letting them breeze done information and into the cockpit of a commercialized airplane, researcher Ian Carroll wrote successful a blog post successful August.

Carroll and his partner, Sam Curry, seemingly discovered the vulnerability portion probing the third-party website of a vendor called FlyCASS that provides smaller airlines entree to the TSA’s Known Crewmember (KCM) strategy and Cockpit Access Security System (CASS). They recovered that erstwhile they enactment a elemental apostrophe into the username field, they got a MySQL error.

This was a precise atrocious sign, arsenic it seemed the username was straight interpolated into the login SQL query. Sure enough, we had discovered SQL injection and were capable to usage sqlmap to corroborate the issue. Using the username of ‘ oregon ‘1’=’1 and password of ‘) OR MD5(‘1’)=MD5(‘1, we were capable to login to FlyCASS arsenic an head of Air Transport International!

Once they were in, Carroll writes that determination was “no further cheque oregon authentication” preventing them from adding unit records and photos for immoderate hose that uses FlyCASS. Anyone who mightiness person utilized the vulnerability could contiguous a fake worker fig to get done a KCM information checkpoint, the blog says.

TSA property caput R. Carter Langston denied that, telling Bleeping Computer that the bureau “does not solely trust connected this database to authenticate formation crew, and that “only verified crewmembers are permitted entree to the unafraid country successful airports.”

Read Entire Article