Public
- Public
- Network
- Groups
- Featured
- Popular
- People

Conversation

Notices

Embed this notice
BobDaHacker 🏳️‍⚧️ | NB (bobdahacker@infosec.exchange)'s status on Wednesday, 17-Jun-2026 07:39:01 JST BobDaHacker 🏳️‍⚧️ | NB

✈️ New Blog Post: Your Boarding Pass Is a Skeleton Key. Frontier Airlines Doesn't Care.
Frontier's mobile API returns full passport numbers, home addresses, children's DOB, credit card details, and KTNs for any booking. The only auth? A PNR and last name. Printed on every boarding pass.
Reported March 3rd. 105 days later, still live. They fixed the least important vuln and ghosted me on the rest. They also updated the website code and somehow made the leaks worse.
Full writeup: https://bobdahacker.com/blog/frontier-airlines-hack
#InfoSec #BugBounty #ResponsibleDisclosure #FrontierAirlines #Security #CyberSecurity #Privacy #Aviation #PCIDSS #DataExposure
In conversation about 8 days ago from infosec.exchange permalink
Attachments
1. Domain not in remote thumbnail source whitelist: bobdahacker.com
  
  Your Boarding Pass Is a Skeleton Key. Frontier Airlines Doesn't Care.
  
  from BobDaHacker
  
  How I found that anyone with a boarding pass photo can pull full passport numbers, home addresses, children's dates of birth, credit card details, and Known Traveler Numbers for every passenger on a Frontier Airlines booking. Reported March 3rd. Still live 105 days later.

Feeds