Everyone makes mistakes at work, but leaving the no-fly list exposed on the internet seems like a really bad mess.
This is apparently what happened with the American airline CommuteAir. The Reported Daily Point(Opens in a new window) that a Swiss hacker known as “maia arson crimew” found the unsecured server using the specialized search engine Shodan. There was apparently a lot of sensitive information on the server, including a version of the no-fly list from four years ago. Somewhat hilariously, this would have been found via a text file titled “NoFly.csv”. It’s… not hard to guess.
A blog post(Opens in a new window) from crimew titled “how to completely own an airline in 3 easy steps” cited boredom as the reason for finding the server. They were just snooping around and found it.
“At this point, I’ve probably clicked through about 20 annoying exposed servers with very little interest, when I suddenly start seeing some familiar words,” crimew says in his blog post. “‘ACARS’, lots of mentions of ‘crew’ and so on. Lots of words I’ve heard before, most likely watching YouTube videos of Mentour Pilot. Jackpot. Exposed jenkins server owned by CommuteAir.”
The tweet may have been deleted
(opens in a new tab)
(Opens in a new window)
CommuteAir, an American regional airline based in Ohio, confirmed that the information on the server was authentic for the Daily Dot. The server has been taken offline.
“The server contained data from a 2019 version of the federal no-fly list that included first names, last names and dates of birth,” Erik Kane, CommuteAir’s corporate communications manager, told The Daily. Dowry. “Additionally, certain CommuteAir employees and flight information were accessed. We have submitted a notification to the Cybersecurity and Infrastructure Security Agency and are pursuing a full investigation.”
The server information has already been dumped, with some researchers say(Opens in a new window) this shows how strongly the list is biased against Muslims. According to Daily Dot(Opens in a new window)although there is no official number on the number of names on the no-fly list, Sen. Dianne Feinstein (D-California) suggested in 2016 that more than 81,000 people were on the list.