A security hole in a widely used airline reservation system remains open to exploit, allowing miscreants to edit strangers' travel details online, The Register has learned. A fix to close the vulnerability was incomplete, and thus ineffective, it is claimed. […] The vulnerability revolves around the way Amadeus and airlines identify travelers: each person is assigned a unique booking reference, which is a six-digit alphanumeric string that retrieves their passenger name record (PNR). This record has all their personal details and their journeys. The system is used to manage passengers and flights, and allow government security agencies check the identity of travelers for known baddies.
This is really basic stuff …'It's like they took a rug and covered it up': Flight booking web app used by scores of airlines still vuln to attack – claim