London Mail
  • Home
  • World
  • News
  • Opinion
  • Business
  • Tech
  • Science
  • Sports
  • Lifestyle
  • Health
  • Motering/Cars
  • More
    • Entertainment
    • Travel
    • Crypto
    • Food
    • Home Improvment
      • Real Estate
    • Press Release
No Result
View All Result
  • Home
  • World
  • News
  • Opinion
  • Business
  • Tech
  • Science
  • Sports
  • Lifestyle
  • Health
  • Motering/Cars
  • More
    • Entertainment
    • Travel
    • Crypto
    • Food
    • Home Improvment
      • Real Estate
    • Press Release
No Result
View All Result
London Mail
No Result
View All Result

Terrifying bug let anyone add fake pilots to roster used at TSA checks and skip security screenings

by London Mail
September 10, 2024
in Science
Reading Time: 6 mins read

Flaws in a third-party app that allows smaller airlines to upload pilots and flight crew onto pre-cleared lists could have helped ‘fake pilots’ skip key security screenings.

The bug would have let malicious actors add anyone they wished to the Known Crewmember program database — which lets the Transportation Security Administration (TSA) identify airline staff who can bypass their security checkpoints.

The two cybersecurity researchers, ‘bug bounty hunters,’ who found the flaw said that they had privately reported the issue last April to both the Federal Aviation Administration and the US Department of Homeland Security, which runs the TSA. 

The troubling discovery follows a TSA report that 300 people have evaded airport security since March 2023: ‘a larger number than we realized,’ the agency said. 

Flaws in third-party app FlyCASS - which allows smaller airlines to upload pilots and flight crew onto pre-cleared TSA lists - may have helped 'fake pilots' skip security checks, cybersecurity researchers said. Above, TSA screenings in action at the Denver International Airport in 2019

Flaws in third-party app FlyCASS – which allows smaller airlines to upload pilots and flight crew onto pre-cleared TSA lists – may have helped ‘fake pilots’ skip security checks, cybersecurity researchers said. Above, TSA screenings in action at the Denver International Airport in 2019

Only the FAA has taken appropriate action, they said, adding ‘the TSA press office issued dangerously incorrect statements about the vulnerability.’ 

The pair of security researchers, Ian Carroll and Sam Curry, said they uncovered the vulnerability in login systems for the third-party website of the vendor FlyCASS.

FlyCASS allows small airline clients the ability to upload their air crews’ information to both the TSA’s Known Crewmember (KCM) system and FAA’s Cockpit Access Security System (CASS). 

‘Anyone with basic knowledge of SQL injection could login to this site and add anyone they wanted to KCM and CASS,’ the duo said, ‘allowing themselves to both skip security screening and then access the cockpits of commercial airliners.’

‘We realized we had discovered a very serious problem,’ Carroll and Curry added. 

Computer science experts at the University of California at Berkley have described SQL injections as ‘one of the most common web attack mechanisms utilized by attackers to steal sensitive data from organizations.’

The technique leverages a common issue with the Structured Query Language (SQL) used to host databases of information on the web.

The attack allows a hacker to upload actionable SQL code into user interfaces like contact forms on websites or, in this case, the FlyCASS web-based app for airlines. 

Using a series of basic SQL injections, the security researchers were first able to gain administration privileges in FlyCASS for the small, Ohio-based cargo airline Air Transport International.

Carroll and Curry reported that they were then able to upload a fake airline employee for Air Transport International, named ‘Test TestOnly’ with an ID photo and were able to authorize ‘TestOnly’ for both KCM and CASS access.

TSA press secretary R. Carter Langston denied that the security researchers’ findings were as dire as the duo claimed. 

Using 'SQL injection' techniques, security researchers were able to gain administration privileges in FlyCASS for small, Ohio-based cargo airline Air Transport International

Using ‘SQL injection’ techniques, security researchers were able to gain administration privileges in FlyCASS for small, Ohio-based cargo airline Air Transport International

Carrol and Curry reported that they were able to upload a fake airline employee, named 'Test TestOnly,' (above) and were able to authorize the fake for both KCM and CASS access

Carrol and Curry reported that they were able to upload a fake airline employee, named ‘Test TestOnly,’ (above) and were able to authorize the fake for both KCM and CASS access

The two cybersecurity researchers have now also accused the TSA of issuing 'dangerously incorrect statements about the vulnerability' - minimizing the risk it may post to air traffic

The two cybersecurity researchers have now also accused the TSA of issuing ‘dangerously incorrect statements about the vulnerability’ – minimizing the risk it may post to air traffic

TSA, according to Langston, ‘does not solely rely on this database to verify the identity of crewmembers.’ 

‘TSA has procedures in place to verify the identity of crewmembers,’ Langston told Bleeping Computer, ‘and only verified crewmembers are permitted access to the secure area in airports.’

‘No government data or systems were compromised and there are no transportation security impacts related to the activities,’ the agency spokesperson emphasized. 

In an update to their report, Carroll and Curry pushed back, noting that the admin privileges they were able to hack their way into allowed them to also edit already existing profiles in the Known Crewmember database, not just add new ones.

‘Since our vulnerability allowed us to edit an existing KCM member,’ they said, ‘we could have changed the photo and name of an existing enrolled user, which would likely bypass any vetting process that may exist for new members.’

Update: At 12:46 Eastern time on Tuesday, the day after publication of this article, a spokesperson with TSA’s Media Ops Division reached out to DailyMail.com with ‘an updated statement.’

TSA’s updated statement reads: In April, TSA became aware of a report that a vulnerability in a third party’s database containing airline crewmember information was discovered and that through testing of the vulnerability, an unverified name was added to a list of crewmembers in the database. This vulnerability was immediately resolved by the third party. No government data or systems were compromised and there are no transportation security impacts related to the activities.

TSA does not solely rely on this database to verify the identity of crewmembers. TSA has procedures in place to verify the identity of crewmembers and only verified crewmembers are permitted access to the secure area in airports. TSA worked with stakeholders to mitigate against any identified cyber vulnerabilities.



Source link

Related Posts

‘Time traveler’ who says he is from the year 2118 makes chilling claims about World War 3 and secret CIA inventions
Science

‘Time traveler’ who says he is from the year 2118 makes chilling claims about World War 3 and secret CIA inventions

July 1, 2026
The chilling visions of hell that a doctor says reveal we’re living in God’s simulation
Science

The chilling visions of hell that a doctor says reveal we’re living in God’s simulation

June 28, 2026
Grotesque ‘zombie squirrels’ with oozing flesh pods spark alarm across the US
Science

Grotesque ‘zombie squirrels’ with oozing flesh pods spark alarm across the US

June 25, 2026
Next Post
EA FC 25 Premier League player ratings revealed and Haaland is not No. 1 | Gaming | Entertainment

EA FC 25 Premier League player ratings revealed and Haaland is not No. 1 | Gaming | Entertainment

Slow broadband is costing London’s SMEs up to £28bn a year claims analysis

Slow broadband is costing London's SMEs up to £28bn a year claims analysis

Melbourne protest LIVE updates: Anti-war demonstrators clash with police and reporters in fiery scenes

Melbourne protest LIVE updates: Anti-war demonstrators clash with police and reporters in fiery scenes

Recommended

Transfer news LIVE: Summer Window latest as Bryan Mbeumo could follow Cunha to Man United, Fernandes rejects MEGA Saudi move, Chelsea close in on Delap and Reds prepare record offer for Florian Wirtz

Transfer news LIVE: Summer Window latest as Bryan Mbeumo could follow Cunha to Man United, Fernandes rejects MEGA Saudi move, Chelsea close in on Delap and Reds prepare record offer for Florian Wirtz

1 year ago
Falling inflation clears path for more rate cuts

Falling inflation clears path for more rate cuts

2 years ago
Google Gemini engulfed in ANOTHER woke scandal as AI bot says it would be wrong to misgender Caitlyn Jenner to prevent a nuclear apocalypse

Google Gemini engulfed in ANOTHER woke scandal as AI bot says it would be wrong to misgender Caitlyn Jenner to prevent a nuclear apocalypse

2 years ago
‘I used to think it was the poor sister of Spain… not anymore’: Michael Portillo explores Portugal for his latest fascinating TV series – and reveals why ‘it has more to offer than I imagined’

‘I used to think it was the poor sister of Spain… not anymore’: Michael Portillo explores Portugal for his latest fascinating TV series – and reveals why ‘it has more to offer than I imagined’

1 year ago

Categories

  • Business
  • Crypto
  • Entertainment
  • Food
  • Health
  • Home Improvment
  • Lifestyle
  • Motering/Cars
  • News
  • Opinion
  • Press Release
  • Real Estate
  • Science
  • Sports
  • Tech
  • Travel
  • World
No Result
View All Result

Highlights

Fans vs air conditioners: Which to buy to beat the summer heatwave

Baldur’s Gate 4 update as nobody wants to make GOTY sequel | Gaming | Entertainment

The secret small print in Trump’s Iran deal that’s turning voters harshly against it

Gen Z are the biggest snackers – but unhealthy habits are causing energy crashes

Monty Don’s July warning to gardeners over grass clipping mistake

Inside the peaceful German wellness retreat loved by Gwyneth Paltrow and Jennifer Aniston – where luxury meets a dark chapter of history

London Mail

London Mail | Stay Informed, Stay Inspired ©2025, All rights Reserved

Navigate Site

  • Home
  • About
  • Advertise
  • Contact

Follow Us

No Result
View All Result
  • Home
  • Tech
  • News
  • Business
  • Science
  • Health
  • Sports
  • Lifestyle
  • Travel
  • Opinion

London Mail | Stay Informed, Stay Inspired ©2025, All rights Reserved