83r71nSep 1, 2024

Two cybersecurity researchers recently uncovered a significant vulnerability in the FlyCASS system, which manages the Known Crewmember (KCM) and Cockpit Access Security System (CASS) programs for airlines. This flaw could potentially allow unauthorized individuals to gain access to sensitive areas of airports and even fly in aircraft cockpits.

The researchers discovered that the FlyCASS login page was susceptible to a simple SQL injection attack. By inserting malicious SQL code into the username field, they were able to bypass the login system and gain administrative access to the database.

Once inside, they found they could add any name to the list of approved pilots and crew members without any additional checks. This meant anyone with basic knowledge of SQL injection could potentially log in and add themselves to the KCM and CASS lists.

https://www.theregister.com/2024/08/30/sql_injection_known_crewmember/

#cybersecurity #vulnerabiity #sql #sql_injection #attack #flycass #login #kcm #cass #airlines

Tired of airport security queues? SQL inject yourself into the cockpit, claim researchers

Infosec hounds say they spotted vulnerability during routine travel in the US

The Register
Manuel 'HonkHase' AtugAug 31, 2024

#KRITIS Sektor #Transport und #Verkehr

#Flughafen-#Sicherheitskontrollen in den USA über #SQLInjection umgangen

"Schwachstelle in der Online-Plattform des #FlyCASS-#Kontrollsystem's auszunutzen, um damit Zugänge zu #Sicherheitsbereichen zu erlangen, die normalerweise #Crewmitgliedern vorbehalten sind. Die erschlichene #Zugangsberechtigung soll sogar Zutritt zu Bereichen wie dem #Cockpit von Maschinen ermöglicht haben..."
https://www.heise.de/news/TSA-Airport-Sicherheitskontrollen-per-SQL-Injection-ausgehebelt-9853305.html

Flughafen-Sicherheitskontrollen in den USA über SQL-Injection umgangen

Sicherheitsforschern in den USA ist es gelungen, über SQL-Injection das FlyCASS-Sicherheitssystem zu täuschen und damit Zugangssperren zu umgehen.

heise online