Security Researcher Discovers Critical Vulnerabilities in Frontier Airlines’ Booking System

A security researcher has identified serious flaws in Frontier Airlines’ booking system that allow unauthorized access to sensitive passenger data using only a boarding pass’s booking code and last name, according to a detailed disclosure by BobDaHacker. The vulnerabilities, which have remained unaddressed for over three months, expose personal information including passport numbers, credit card details, and TSA PreCheck codes.

What Data Is Exposed Through Frontier’s API?

BobDaHacker’s findings reveal that Frontier’s mobile API and “Manage My Booking” pages leak comprehensive passenger data. A six-character PNR (Passenger Name Record) and last name, both visible on boarding passes, grant access to full home addresses, email addresses, phone numbers, dates of birth, passport details, TSA PreCheck identifiers, and credit card information. The exposed data includes the first six digits of credit card numbers (BIN), last four digits, expiration dates, and billing addresses, according to the researcher.

“The BIN combined with the last four digits leaves only five unknown digits, which can be iterated through a script,” BobDaHacker explained. “With the cardholder’s name, expiration date, and billing address, the CVV becomes the sole remaining security control.”

How Did the Vulnerability Remain Unpatched for Three Months?

The researcher first reported the issues to Frontier on March 3. As of June 18, the airline had not addressed the vulnerabilities, despite multiple follow-ups. Frontier fixed one endpoint that required only a PNR but left other flaws live, including a page that exposed passport numbers and KTNs (Known Traveler Numbers) in server-rendered JSON. A former employee attributed the system’s instability to its legacy codebase, referring to it as “a mess of generated config and code that only one person was senior enough to touch.”

What Steps Has Frontier Taken to Address the Issues?

Frontier addressed one vulnerability in its “Manage My Booking” page but introduced two new leaks in the process, including the exposure of phone numbers. The airline also fixed an endpoint that required only a PNR but did not resolve the core issues. As of the latest update, Frontier has not issued a public statement or confirmed any patches, according to the researcher.

Why Does This Matter for Travelers?

The exposure of sensitive data increases risks of identity theft and fraud. Passengers who shared boarding passes on social media, in photos, or through discarded documents may have their information accessible to malicious actors. Cybersecurity experts emphasize that even partial credit card details can be exploited, particularly when combined with other personal data.

“This highlights the importance of securing boarding passes and being cautious about sharing travel information online,” said a cybersecurity analyst at a leading firm. “Airlines must prioritize legacy system overhauls to prevent such breaches.”

What Are the Broader Implications for Airline Security?

The incident underscores systemic risks in airline booking systems, which often rely on outdated infrastructure. Similar vulnerabilities have been reported in other industries, where legacy systems fail to meet modern security standards. The Federal Aviation Administration (FAA) and other regulators have historically urged airlines to adopt more robust data protection measures, but enforcement remains inconsistent.

“This is not an isolated case,” said a transportation policy expert. “Many airlines face similar challenges with aging technology, and without proactive updates, such breaches will continue.”