A pair of security researchers say they discovered a vulnerability in the login systems for records used by the Transportation Security Administration (TSA) to verify airline crew members at security checkpoints in airport. The bug lets anyone with “basic knowledge of SQL injection” add themselves to airline rosters, potentially letting them rush through security and into the cockpit of a commercial airliner, researcher Ian Carroll wrote in an August blog post.
Carroll and his partner Sam Curry apparently discovered the vulnerability while reviewing the third-party website of a vendor called FlyCASS that provides smaller airlines with access to the TSA’s Known Crewmember (KCM) system and Cockpit Access Security System (CASS). They found that when they put a simple apostrophe in the username field, they got a MySQL error.
This is a very bad sign, as it looks like the username is being included directly in the login SQL query. Sure enough, we discovered SQL injection and were able to use sqlmap to confirm the issue. With a username of ‘ or ‘1’=’1 and a password of ‘) OR MD5(‘1’)=MD5(‘1, we were able to log into FlyCASS as an Air Transport International administrator!
Once they’re in, Carroll wrote, “there’s no additional review or verification” that prevents them from adding crew records and photos for any airline that uses FlyCASS. Anyone who could exploit the vulnerability could present a fake employee number to get past a KCM security checkpoint, the blog said.
TSA press secretary R. Carter Langston denied that, saying Bleeping Computer that the agency “does not rely solely on this database to authenticate flight crew, and that “only verified crewmembers are allowed to access secure areas at airports.”
