The Transportation Security Administration’s no-fly list is one of the most important ledgers in the United States and contains the names of individuals who are considered such a threat to national security that they are not allowed on airplanes. Then you would have been forgiven for thinking this list was a closely guarded state secret but lol no.
A Swiss hacker dubbed “Maia Arson Crimew” obtained a copy of the list – albeit a version from a couple of years ago – not by breaching fortress-like layers of cybersecurity, but by… finding a regional airline that does kann had his data lying around on unprotected servers. They announced the discovery with the photo and screenshot above, where the Pokémon Sprigatito looks very happy with itself.
As Explain the process in detail in a blog postCrimew was poking around online when they discovered that CommuteAir’s servers just sat there:
Like so many of my other hacks, this story starts with me being bored and surfing Zhodan (or well, technically zoom eyeChinese Shodan), in search of exposed jenkins Servers that may contain some interesting goods. At this point I’ve probably been clicking my way through about 20 boring exposed servers with very little interest when I suddenly start seeing some familiar words. “acars‘, lots of mentions of ‘crew’ and so on. many words I’ve heard before, most likely while binge watching mentor pilot YouTube videos. Jackpot. an exposed jenkins server belonging to CommuteAir.
Among other “sensitive” information on the servers was “NOFLY.CSV,” which, oddly enough, was exactly what it said on the box: “The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth.” ‘, CommuteAir Corporate Communications Manager Erik Kane told the Daily pointwho worked with crimew to review the data. “In addition, certain CommuteAir employee and flight information was accessible. We have submitted a notification to the Cybersecurity and Infrastructure Security Agency and are proceeding with a full investigation.”
This “employee and flight information” includes, as Crimew writes:
Pulling example documents from various S3 buckets, going through flight plans and dumping some Dynamodb tables. At this point, I had found pretty much every conceivable PII for each of their crew members. full names, addresses, phone numbers, passport numbers, pilot license numbers, when the next line check is due and much more. I had travel sheets for every flight, the ability to access every time itinerary, a whole bunch of image attachments to refund flight bookings that contained even more PII, aircraft maintenance data, whatever.
G/O Media may receive a commission
Up to $100 credit
Samsung backup
Reserve the next generation Samsung device
All you have to do is sign up with your email address and boom: credit your pre-order on a new Samsung device.
The government is now investigating the leak together with the TSA they say Daily point they are “aware of a potential cybersecurity incident and we are investigating in coordination with our federal partners.”
If you’re wondering how many names are on the list, it’s hard to say. Crimew tells my city that in this version of the records “there are approximately 1.5 million entries, but given the many different aliases for different individuals, it is very difficult to ascertain the actual number of unique individuals on them” (a 2016 estimate had the numbers at “2,484,442 records consisting of 1,877,133 individual identities”).
Interestingly, given that the list was uploaded to CommuteAir’s servers in 2022, it was assumed that was the year the records were from. Instead, Crimew says to me, “The only reason we [now] knows [it] is from 2019 because the airline keeps confirming this in all their press releases, previously we assumed it was from 2022.”
You can check out crimew’s blog hereduring Daily point Post – stating names on the list include members of the IRA and an eight-year-old –is here.
.jpg?width=1200&height=630&fit=crop&enable=upscale&auto=webp)
