The Transportation Security Administration’s No-Flight List is one of the most important ledgers in the United States, containing the names of people deemed a threat to national security for whom they are operating. not allowed on the plane. You would be forgiven for thinking that list is a closely guarded state secret, but lol, no.
A Swiss hacker by the name of “maia arsoncrimew” got hold of a copy of the list—albeit a version from several years ago—not by bypassing fortress-like cybersecurity layers, but by…finding out a regional airline whose data is lying around in unprotected servers. They announced the discovery with the photo and screenshot above, in which Pokémon Sprigatito looks extremely pleased with itself.
As they are explained in a blog post detailing the process,crimew searched the net when they discovered that CommuteAir’s servers were just located there:
like so many of my other hacks, this story started with me getting bored and browsing Shodan (or well, technically zoomChinese shodan), contact search jenkins The server may contain some interesting merchandise. at this point I was probably clicking through about 20 boringly displayed servers with very little interest, when I suddenly started seeing some familiar words. “ACARS”, lots of mentions of “crew”, etc a lot of words I have heard before, most likely while binge-watching mentor pilot YouTube videos. jackpot prize. an exposed jenkins server belongs to go to work.
Among other “sensitive” information on the servers is “NOFLY.CSV,” which is hilarious exactly as it says on the box: “The server contains data from the 2019 version of the federal no-fly list including include first and last name and date of birth,” CommuteAir Corporate Communications Director Erik Kane Talk to daily dotwho worked with crimew to sift the data. “In addition, some CommuteAir employee and flight information is accessible. We have notified the Cybersecurity and Infrastructure Security Agency and we are continuing to fully investigate.”
Such “employee and flight information” includes, as crimew writes:
get sample documents from different s3 buckets, go through the flight plans and render some dynamics tables. at this point I’ve found nearly every conceivable PII for each of their crew members. their full name, address, phone number, passport number, pilot license number, when it’s due to check their next route and more. i have trip sheets for every flight, ability to access every flight plan ever, whole image attachment for booking return flights containing extra PII, maintenance data plane, you can name it.
G/O Media can receive commission
Up to $100 credit
Samsung Reserve
Reserve the next gen Samsung device
All you need to do is sign up with your email and boom: credit for your preorder on a new Samsung device.
The government is now investigating the leak, with the TSA tells daily dot they are “We are aware of a potential cybersecurity incident and we are coordinating the investigation with our federal partners.”
If you’re wondering how many names are on the list, it’s hard to say. crime told Kotaku that in this version of the profile “there are about 1.5 million entries, but there are so many different aliases for different people that it is difficult to know how many unique people are actually on it” (2016 estimate has a count of “2,484,442 records, including 1,877,133 individual identities”).
Interestingly, since the list was uploaded to CommuteAir’s servers in 2022, it is assumed that that was the year the records were available. Instead, crimew told me “the only reason we [now] i know [it] is from 2019 as the airline has repeatedly confirmed so in all of their press releases, we previously assumed it was from 2022.”
You can check crime’s blog herewhen daily dot post—listed to include IRA members and an eight-year-old—here.
