Hacker found a no-fly list on a public TSA server

The hacker found a list of banned aircraft on the airline’s insecure server.

Everyone makes mistakes at work, but leaving a no-fly list online is a real bummer. This is exactly what happened to the American company CommuteAir. The Daily Dot reports that a Swiss hacker, responding to the name “maia arsoncrimew”, found an insecure server thanks to a specialized search engine Shodan. And the latter is full of sensitive data, including a four-year-old version of the no-fly list. In a file named “NoFly.csv”, please!

Hacker found a list of people who are forbidden to fly

In a post titled “How to Completely Own an Airline in 3 Easy Steps “published on his blog, the hacker explains that he was bored when he found this server. “By that time I had probably looked at 20 open and completely boring servers with nothing interesting on it when I started to see some familiar words.”“ACARS, “crew” references, etc. Words I have heard before, most often while watching Mentour Pilot YouTube videos. Jackpot. An open Jenkins server owned by CommuteAir.”

on an insecure airline server

CommuteAir, the national airline based in Ohio, has confirmed that the information on the server is correct. The server has since been down. “The server contained data from the 2019 version of the Federal No-Fly List, which included first names, last names and dates of birth,” CommuteAir communications manager Eric Kane told the Daily Dot. “In addition, some CommuteAir employees and flight information were available. We have forwarded the incident to the Cybersecurity and Infrastructure Security Agency and are conducting a full investigation.”

According to the Daily Dot, while there is no official figure for the number of people on the list, Senator Dianne Feinstein suggested in 2016 that the no-fly list included more than 81,000 people.

The server, discovered by the hacker @_nyancrimew, was protected before being published.

CommuteAir says the listing was the 2019 version.

The Daily Dot was able to track down numerous high-profile individuals, including recently released Russian arms dealer Viktor Bout and at least 16 aliases.

— Mikael Thalen (@MikaelThalen) January 19, 2023