KLM and AirFrance passenger data accessible through guessable URL

The Dutch public news organization NOS, in collaboration with security researcher Benjamin Broersma, discovered that private data of KLM and Air France passengers could be easily accessed.

The vulnerability stems from the simplicity of the hyperlinks in the text messages sent by KLM for flight information, which were only six characters long. By experimenting with different combinations, a valid link could be discovered every 100 to 200 attempts, potentially allowing access to, and even the modification or deletion of, sensitive information like passport and visa details, though this was not actually tested.

KLM responded by blocking the IP addresses used in the investigation after over five hours and later implemented a login screen to secure access to flight information.

Benjamin Broersma noted that the short length of the hyperlink's code and the high proportion of functioning combinations made it vulnerable to automated scripts. Although there are 56.8 billion possible combinations with a six-digit code, the investigation suggested that 0.5 percent might be valid, equating to around 284 million combinations leading directly to customer data.

KLM has not provided any details about the breach's extent - whether previous brute force attempts have also been detected or whether passport and visa information could be manipulated through these hyperlinks. KLM claims hat only a "small percentage" of their customers received such text messages but did not specify numbers.

The NOS team made no attempts to conceal their research activities, suggesting that a more determined threat actor could have circumvented KLM’s countermeasures more effectively by frequently changing IP addresses.