Researchers say a bug let them add fake pilots to rosters used for TSA checks

Posted by
Check your BMI

A collection of warning signs, bugs, and notifications emulating malware or a cyber attack. The images are placed in a connected web against a blue background.
Illustration by Carlo Cadenas / The Verge
toonsbymoonlight

A pair of security researchers say they discovered a vulnerability in login systems for records that the Transportation Security Administration (TSA) uses to verify airline crew members at airport security checkpoints. The bug let anyone with a “basic knowledge of SQL injection” add themselves to airline rosters, potentially letting them breeze through security and into the cockpit of a commercial airplane, researcher Ian Carroll wrote in a blog post in August.

Carroll and his partner, Sam Curry, apparently discovered the vulnerability while probing the third-party website of a vendor called FlyCASS that provides smaller airlines access to the TSA’s Known Crewmember (KCM) system and Cockpit Access Security System (CASS). They found that…

Continue reading…