66Trust
Partially True
🔍 Web Verified
BobDaHacker 🏳️⚧️onMastodon5d ago
✈️ New Blog Post: Your Boarding Pass Is a Skeleton Key. Frontier Airlines Doesn't Care.
Frontier's mobile API returns full passport numbers, home addresses, children's DOB, credit card details, and KTNs for any booking. The only auth? A PNR and last name. Printed on every boarding pass.
Reported March 3rd. 105 days later, still live. They fixed the least important vuln and ghosted me on the rest. They also updated the website code and somehow made the leaks worse.
Full writeup: https://bobdahacker.com/blog/frontier-airlines-hack
#InfoSec #BugBounty #ResponsibleDisclosure #FrontierAirlines #Security #CyberSecurity #Privacy #Aviation #PCIDSS #DataExposure
Trust Metrics
75
65
55
55
Accuracy75%
Framing65%
Context55%
Tone55%
Analysis Summary
A security researcher claims Frontier Airlines' mobile API leaks sensitive passenger data (passport numbers, addresses, credit card details) using weak authentication — a PNR and last name printed on boarding passes. The researcher says they reported the flaw March 3rd and Frontier has ghosted them for 105 days while the vulnerability remains live. No major news outlets have independently verified this vulnerability or Frontier's response, making the claim impossible to confirm from public sources — it relies entirely on the researcher's own documentation.
Claims Analysis (4)
“Frontier's mobile API returns full passport numbers, home addresses, children's DOB, credit card details, and KTNs for any booking with only a PNR and last name for authentication.”
Core vulnerability claim comes from researcher's own blog post — primary source reporting but not independently confirmed by major outlets. Web search found no news coverage of this specific Frontier vulnerability despite reporter's claim of 105-day disclosure window. Independent verification impossible without testing the API.
“The vulnerability was reported on March 3rd and remains unfixed 105 days later.”
Timeline is internally consistent with post date (June 16), but no independent news coverage confirms the March 3rd report date or current unfixed status. Frontier has not publicly acknowledged the disclosure.
“Frontier fixed the least important vulnerability and ghosted the researcher on the rest.”
Characterization of Frontier's response depends on access to full disclosure email chain — not verifiable from public sources. No news outlets have covered Frontier's response.
“Frontier updated website code and made the leaks worse.”
Specific technical claim about code changes and their effect. Unverifiable without direct testing or independent security audit. Not covered in available news sources.
Was this analysis helpful?
Try ClearFeed free →