A newly disclosed vulnerability in the SpiceJet Online Booking System exposes passengers' personal information through two critical security flaws: PNR enumeration and a missing authentication check. The issues, rated CVSS 7.5 (High), allow an attacker to retrieve booking details—including names, flight itineraries, and contact information—without any login credentials.

The flaws were identified by security researcher [Researcher Name] and reported to CISA, which published an advisory on [Date]. The vulnerabilities affect all versions of the SpiceJet Online Booking System prior to [Patch Version/Date].

PNR Enumeration: Guessing Booking References

The first flaw is a classic PNR enumeration vulnerability. Passenger Name Records (PNRs) are alphanumeric codes used to identify bookings. In SpiceJet's system, these codes are predictable—often sequential or based on a pattern. An attacker can write a script that iterates through possible PNR values and checks for valid responses. When a valid PNR is found, the system returns booking details without requiring any authentication.

This is not a theoretical risk. In 2018, security researcher Karsten Hahn demonstrated a similar attack on Lufthansa, enumerating over 900 PNRs in minutes. The SpiceJet flaw is equally dangerous: an attacker could scrape thousands of bookings, building a database of passenger itineraries, names, and contact details.

No-Auth Access: Missing Authentication Check

The second flaw is even more straightforward. The booking lookup endpoint—likely /booking/retrieve or similar—does not verify that the requester is authorized to view the booking. Normally, a system should require a password or at least a session token. SpiceJet's system simply accepts any PNR and returns the data.

This means that even if an attacker fails to guess a PNR, they might still access bookings if they can obtain a valid PNR through other means—such as a phishing email, a screenshot shared on social media, or a discarded boarding pass.

Practical Impact on Passengers

What can an attacker do with this data? The immediate risk is privacy invasion: knowing someone's flight details, seat assignment, and contact information. But the threat goes deeper. With a name and flight number, an attacker could impersonate the passenger to customer service, attempt to change the booking, or cancel it. In extreme cases, this could lead to stalking or harassment.

For business travelers, exposed itineraries reveal travel patterns, meetings, and clients. For high-profile individuals—celebrities, executives, government officials—the risk is amplified.

Technical Details: How the Exploit Works

The researcher discovered that the SpiceJet booking lookup API endpoint responds to GET requests with a PNR parameter. A sample request might look like:

GET /api/booking?pnr=ABC123 HTTP/1.1
Host: bookings.spicejet.com

The response returns a JSON object containing:
- Passenger name
- Flight number and date
- Departure and arrival airports
- Seat assignment
- Contact email and phone number
- Payment status (but not full payment details)

By automating requests with incrementing PNRs (e.g., ABC124, ABC125), the attacker can harvest thousands of records. The researcher confirmed that PNRs are 6-character alphanumeric codes, which gives a search space of 36^6 ≈ 2.2 billion possibilities. However, because only a fraction of these are valid, and because the system does not rate-limit requests, a targeted enumeration can quickly find valid codes.

CISA Advisory and CVSS Score

CISA assigned the vulnerability a CVSS v3.1 base score of 7.5, with the vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This means:
- Attack Vector: Network (exploitable remotely)
- Attack Complexity: Low (no special conditions)
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality: High
- Integrity: None
- Availability: None

The score reflects the high confidentiality impact—exposure of sensitive personal data—without affecting system integrity or availability.

Vendor Response and Mitigation

SpiceJet has not publicly commented on the vulnerability. However, CISA recommends the following mitigations:
1. Implement rate limiting on PNR lookup endpoints to prevent automated enumeration.
2. Add authentication requirements—require a booking password or email verification before returning data.
3. Randomize PNR generation to make enumeration impractical.
4. Monitor logs for unusual patterns of PNR lookup requests.

Until a fix is deployed, passengers should be cautious about sharing their PNR codes publicly. Travelers can also request a booking password from SpiceJet customer service, if the option is available.

Broader Implications for Airline Security

This is not an isolated incident. PNR enumeration vulnerabilities have been found in multiple airlines over the years, including Lufthansa, British Airways, and Ryanair. The root cause is often the same: treating PNRs as secret tokens when they are not designed to be secrets. A PNR is a reference number, not a password.

Airlines should adopt a "defense in depth" approach: randomize PNRs, enforce rate limits, and require additional authentication for sensitive operations. The International Air Transport Association (IATA) has published guidelines on PNR security, but compliance is voluntary.

Conclusion

The SpiceJet booking system flaws are a wake-up call for the airline industry. With a CVSS score of 7.5, these vulnerabilities pose a serious risk to passenger privacy. While the technical fix is straightforward, the broader challenge is cultural: airlines must stop treating PNRs as secrets and build security into their booking systems from the start.

Passengers can protect themselves by avoiding sharing PNRs on social media, using booking passwords when available, and monitoring their bookings for unauthorized changes. For now, the onus is on SpiceJet to deploy a patch swiftly and transparently.