Researcher Maia Arson Crimew discovered a U.S. No Fly List hosted on an unsecured server run by US carrier CommuteAir. The TSC’s No Fly List is a list of people who are prohibited from boarding commercial aircraft for travel within, into, or out of the United States.
The Swiss researcher claims to have discovered the server while searching for Jenkins servers using the Zoomeye search engine.
While analyzing 20 exposed servers she noticed familiar words such as “ACARS,” “crew” and so on, which are associated with the aviation industry.
She noticed two projects on the server named noflycomparison and noflycomparisonv2, which seemingly take the TSA no-fly list and check if any of the crew members of the CommuteAir airline was included. Crimew discovered hardcoded credentials and s3 bucket names, then she used them to access the actual list.
The researchers found AWS credentials that gave her access to the entire AWS infrastructure via aws-cli. numerous s3 buckets, dozens of dynamodb tables, as well as various servers, and much more.
Crimew also discovered PII for each crew member, including full names, addresses, phone numbers, passport numbers, pilot’s license numbers, when their next linecheck is due and much more.
