US No-Fly List Leaked via Airline Dev Server by @_nyancrimew

CommuteAir, a United Airlines puddle-jumper affiliate, leaked the federal government’s No-Fly and “Selectee” lists. Or, at least, a snapshot from 2019—totaling more than 1.8 million entries.

Not only that, but detailed personal info on almost 1,000 employees. The vulnerability was an unsecured Jenkins server that contained secret credentials for more than 40 public-cloud storage buckets.

I’m amazed it hasn’t happened before. In today’s SB Blogwatch, we say hello to our old friend maia arson crimew.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: MonoNeon.

FBI TSC CSV on AWS S3

What’s the craic? Mikael Thalen and David Covucci claim a breathless exclusive—“U.S. airline accidentally exposes No Fly List”:

A development server
An unsecured server discovered by a security researcher last week contained the identities of hundreds of thousands of individuals from the U.S. government’s Terrorist Screening Database and “No Fly List.” … It revealed a vast amount of [other] data, including private information on almost 1,000 CommuteAir employees.

On the list were several notable figures, including the recently freed Russian arms dealer Viktor Bout, alongside over 16 potential aliases for him. … Suspected members of the IRA, the Irish paramilitary organization, were also on the list.

TSA said that it was “aware of a potential cybersecurity incident with CommuteAir, and we are investigating.” … The FBI declined to answer specific questions. … CommuteAir said that the exposed infrastructure, which it described as a development server, was used for testing purposes.

But how? Brandon Vigliarolo has more—“US terrorist no-fly list found unsecured on airline server”:

Credentials for more than 40 Amazon S3 buckets
US regional airline CommuteAir left an unsecured server connected to the internet. [It] hosted a 2019 copy of the US government’s no-fly list, with more than 1.5 million entries.

While there are a lot of duplicate entries, alias and variant spellings on the list, it’s still quite large. The FBI maintains the no-fly database, which is a select subset of its larger terrorist watch list that singles out people who aren’t allowed to board an airplane within or bound for the US.

Credentials for more than 40 Amazon S3 buckets and other CommuteAir servers were also discovered on the exposed system. … The server was taken offline prior to the news being reported.

Who discovered the cache? Katherine Tangalakis-Lippert describes her as “A bored hacktivist”:

It took just minutes
maia arson crimew … said she was clicking around on an online search engine full of unprotected servers … when she accessed one maintained by a little-known airline and found the highly sensitive documents, along with what she called a “jackpot” of other information. … The files “NoFly.csv,” and “selectee.csv” found by crimew contain over 1.8 million entries including names and dates of birth of people the FBI identifies as “known or suspected terrorists” who are prevented from boarding aircraft.

It took just minutes for her to access the server and find credentials that allowed her to see the database. … CommuteAir faced a similar data breach in November.

Here she is—maia arson crimew—“how to completely own an airline in 3 easy steps”:

NOFLY.CSV and SELECTEE.CSV
like so many other of my hacks this story starts with me being bored and browsing shodan (or well, technically zoomeye, chinese shodan), looking for exposed jenkins servers. … and oh the things i found.

it dawned on me just how heavily i had already owned them within just half an hour or so. hardcoded credentials there would allow me access to navblue apis for refueling, cancelling and updating flights, swapping out crew members and so on. … i now seemingly have access to pretty much their entire aws infrastructure via aws-cli. numerous s3 buckets, dozens of dynamodb tables … various servers and much more.

and there it is: … employee_information.csv, NOFLY.CSV and SELECTEE.CSV. all commited to the repository in july 2022. … holy ****ing bingle. what?!

Wait. Pause. CSV files? Dr Bob has a legacy vision:

It might be pulled into some ancient proprietary booking/ticket system, with something bolted on to check a no fly list, rather than an a file opened in Excel at the checkout gate. [But] it definitely should be encrypted.

And ShanghaiBill agrees:

Indeed. Any DB can import csv. Any spreadsheet program can load it. It is also easy to parse using Python, Perl, or even grep and sed. If someone sends me data, I always ask for csv.

CommuteAir says no customer PII was exposed. John Brown (no body) scoffs at the PR spin:

No customer information was exposed? Well, no, of course not. Staff aren’t customers. Nor are the 1.5 million people not allowed to fly.

On the other hand, did they change the AWS bucket log in details in time? Have they had time to fully check everything and confirm no other systems have been accessed?

Don’t hate the playa. hudsmt hates the game:

I know several people who were on the terrorist watchlist about 20 years ago because they were protesting (as in, chanting with signs) about the military’s Don’t Ask, Don’t Tell policy. There should really be some more oversight.

Meanwhile, lest we forget, this is a list of people who are guilty until proven innocent. Iamthecheese tropes it up:

What if I told you, “The government thinks they’re dangerous,” and “They are dangerous,” are two different things? Would that blow your mind?

And Finally:

A big basket of WTH

Hat tip: Mudface

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Domagoj Ćosić (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 590 posts and counting.See all posts by richi