Security researchers Ian Carroll and Sam Curry discovered a critical vulnerability in FlyCASS, a web-based service used by airlines for managing the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS).
This flaw allowed for SQL injection, enabling attackers to log in as an administrator for Air Transport International and manipulate employee data. Upon discovery, the researchers informed the Department of Homeland Security (DHS) and FlyCASS was disconnected from the system as a precaution. However, the DHS ceased responding to the researchers’ emails and the TSA denied the vulnerability’s impact, quietly removing conflicting information from its website.
Carroll emphasized that the flaw could have facilitated extensive security breaches, including bypassing vetting processes for new KCM members. Additionally, another researcher discovered potential ransomware activity targeting FlyCASS. The TSA press secretary stated that no government data or systems were compromised, and TSA procedures were in place to verify crewmembers’ identities.
Despite the attempts to reach the DHS for comment, there was no initial success.
The 128 series brings you byte-sized news for busy professionals. The full story can be found here: http://cmd.news/article/industry-news/researchers-find-sql-injection-to-bypass-airport-tsa-security-checks/
