methods to utterly personal an airline in 3 straightforward steps
and seize the TSA nofly record alongside the way in which
notice: this can be a barely extra technical* and comedic write up of the story lined by my mates over at dailydot, which you’ll learn here
*i say barely since there isnt a complete lot of sophisticated technical stuff happening right here within the first place
step 1: boredom
like so many different of my hacks this story begins with me being bored and shopping shodan (or nicely, technically zoomeye, chinese language shodan), searching for uncovered jenkins servers which will include some fascinating items. at this level i’ve in all probability clicked by about 20 boring uncovered servers with little or no of any curiosity, when i instantly begin seeing some familar phrases. “ACARS“, a lot of mentions of “crew” and so forth. a lot of phrases i’ve heard earlier than, almost definitely whereas binge watching Mentour Pilot YouTube movies. jackpot. an uncovered jenkins server belonging to CommuteAir.
step 2: how a lot entry do we’ve actually?
okay however let’s not get too excited too rapidly. simply because we’ve discovered a cool jenkins server doesn’t suggest we’ll have entry to far more than construct logs. it rapidly seems that whereas we do not have nameless admin entry (sure that is fairly continuously the case [god i love jenkins]), we do have entry to construct workspaces. this implies we get to see the repositories that had been constructed for every one of many ~70 construct jobs.
step 3: let’s dig in
many of the tasks right here appear to be pretty small spring boot tasks. the standardized challenge format and in depth use of the assets listing for configuration information will probably be very helpful on this complete endeavour.
the very first challenge i resolve to have a look at in additional element is one thing about “ACARS incoming”, since ive heard the time period acars earlier than, and it sounds spicy. a fast take a look at the useful resource listing reveals a file referred to as application-prod.properties
(similar additionally for -dev
and -uat
). it could not simply be that straightforward now, may it?
nicely, it positive is! two minutes after discovering mentioned file im looking at filezilla linked to a navtech sftp server crammed with incoming and outgoing ACARS messages. this aviation shit actually do get critical.
here’s a pattern of a departure ACARS message:
from right here on i began looking for journalists inquisitive about a in all probability fairly broad breach of US aviation. which sadly received peoples hopes up in considering i used to be behind the TSA issues and groundings a day earlier, however sadly im not fairly that cool. so whereas i used to be ready for somebody to answer my name for journalists i simply stored digging, and oh the issues i discovered.
as i stored taking a look at an increasing number of config information in an increasing number of of the tasks, it dawned on me simply how closely i had already owned them inside simply half an hour or so. hardcoded credentials there would enable me entry to navblue apis for refueling, cancelling and updating flights, swapping out crew members and so forth (assuming i used to be keen to ever work together with a SOAP api in my life which i positive as hell am not).
i nevertheless stored wanting again on the two tasks named noflycomparison
and noflycomparisonv2
, which seemingly take the TSA nofly record and test if any of commuteair’s crew members have ended up there. there are hardcoded credentials and s3 bucket names, nevertheless i simply cant discover the precise record itself wherever. in all probability partially as a result of it seemingly at all times will get deleted instantly after processing it, almost definitely particularly due to nosy kittens like me.
quick ahead a number of hours and im now speaking to Mikael Thalen, a employees author at dailydot. i give him a fast rundown of what i’ve discovered thus far and the way within the meantime, simply half an hour earlier than we began speaking, i’ve ended up discovering AWS credentials. i now seemingly have entry to just about their whole aws infrastructure through aws-cli
. quite a few s3 buckets, dozens of dynamodb tables, in addition to numerous servers and far more. commute actually loves aws.
i additionally share with him how shut we seemingly are to truly discovering the TSA nofly record, which might clearly instantly make this an excellent larger story than if it had been “solely” an excellent trivially ownable airline. i had even peeked on the nofly s3 bucket at this level which was seemingly empty. so we took one final take a look at the noflycomparison repositories to see if there may be something in there, and for the primary time really take a peek on the check information within the repository. and there it’s. three csv information, employee_information.csv
, NOFLY.CSV
and SELECTEE.CSV
. all commited to the repository in july 2022. the nofly csv is sort of 80mb in measurement and incorporates over 1.56 million rows of information. this HAS to be the actual deal (we later get affirmation that it’s certainly a duplicate of the nofly record from 2019).
holy shit, we even have the nofly record. holy fucking bingle. what?! :3
with the jackpot discovered and being regarded into by my journalism mates i made a decision to dig just a little additional into aws. grabbing pattern paperwork from numerous s3 buckets, going by flight plans and dumping some dynamodb tables. at this level i had discovered just about all PII possible for every of their crew members. full names, addresses, telephone numbers, passport numbers, pilot’s license numbers, when their subsequent linecheck is due and far more. i had journey sheets for each flight, the potential to entry each flight plan ever, a complete bunch of picture attachments to bookings for reimbursement flights containing but once more extra PII, airplane upkeep information, you title it.
i had owned them utterly in lower than a day, with just about no ability required apart from the endurance to sift by a whole lot of shodan/zoomeye outcomes.
so what occurs subsequent with the nofly information
whereas the character of this info is delicate, i consider it’s within the public curiosity for this record to be made out there to journalists and human rights organizations. if you’re a journalist, researcher, or different celebration with official curiosity, please attain out at nofly@crimew.gay. i’ll solely give this information to events that i consider will do the correct factor with it.
notice: for those who electronic mail me there and that i don’t reply inside an everyday timeframe it is vitally doubtless my reply ended up in your spam folder or received misplaced. utilizing electronic mail not hosted by google or msft is hell. be happy to dm me on twitter in that case.
help me
for those who preferred this or any of my different safety analysis be happy to help me on my ko-fi. i’m unemployed and in a relatively precarious monetary scenario and do that analysis without spending a dime and for the enjoyable of it, so something goes a good distance.