RSS

Boarding Pass Is a Skeleton Key. Frontier Airlines Doesn't Care

scrtm2 pts0 comments

Your Boarding Pass Is a Skeleton Key. Frontier Airlines Doesn't Care. | bobdahacker

🎄<br>Currently at 39C3 in Hamburg! Feel free to hit me up on my socials<br>💻

-->

Your Boarding Pass Is a Skeleton Key. Frontier Airlines Doesn't Care.

June 16, 2026

BobDaHacker

I reported this on March 3rd, 2026. It is now June 16th. 105 days later. The critical vulnerabilities are still live. Frontier fixed the least important one and ghosted me on the rest. Your passport number is still leaking.

It Started With a Tweet

Someone posted their Frontier Airlines boarding pass on X. Unblurred. PNR and last name right there. But even if they'd blurred it, it wouldn't matter because the BCBP barcode on every boarding pass contains the PNR and last name in cleartext. Any barcode reader can decode it.

A real Frontier boarding pass posted publicly on X. The original poster blacked out their name and confirmation code, but left the barcode visible. I added the pink redactions.

Here's what most people don't know: the barcode on your boarding pass isn't just a random scanner thing. It's a BCBP (Bar Coded Boarding Pass) format defined by IATA. It contains your full name, PNR (booking confirmation code), flight details, and more, all in plaintext. Any barcode reader app on your phone can decode it in seconds. So even if you black out your name and confirmation number like this person did, the barcode gives it all away. Most people think they're being careful by hiding the text. They're not.

I wondered what you could do with just a PNR and a last name.

Turns out: everything. And I mean everything. Passport numbers, home addresses, credit card details, your kid's birthday. The full internal booking object, served raw like gas station sushi.

Vulnerability 1: The Mobile API That Returns Everything

Frontier's mobile app API has an endpoint that returns the entire raw internal booking object . The only authentication? A PNR and a last name. That's it. That's the security. Two pieces of information printed on every boarding pass in existence.

https://mtier.flyfrontier.com/bookingssv/GetBookingbyParams?lastName={LAST_NAME}&recordLocator={PNR}

The response includes, for every passenger on the booking (including children):

Full home address (street, city, state, zip)

Email address

Phone number

Full date of birth (including minors)

Full unmasked passport number , issuing country, and expiration date

Nationality

Known Traveler Number (TSA PreCheck)

Frontier Miles / loyalty program number

Credit card last 4 digits, BIN (first 6), expiration date, cardholder name, and billing IP address

Full payment history with authorization codes

Internal system comments showing every email and SMS notification sent

Baggage tag numbers, booking agent IDs, fare breakdown

Gender and passenger type (adult/child)

The website masks passport numbers as XXXXX8151. The API returns the full number. No filtering. No masking. The complete internal booking object, dumped straight to the client.

Travel Documents (Passport Data)

The KTN (Known Traveler Number) document. documentTypeCode "K". Full name, date of birth, gender. All in the API response.

The passport document. documentTypeCode "P". Full passport number (redacted), nationality "IT", issued by "IT", expiration date 2034. The website masks this. The API doesn't.

Why the KTN Leak Matters

Your Known Traveler Number is what gives you TSA PreCheck. It's tied to your identity and lets you skip the long security line at US airports. If an attacker has your KTN, they can add it to their own booking and fraudulently gain PreCheck status, skipping enhanced security screening. You know, the screening that exists to stop bad things from happening on planes. TSA's own guidance says KTNs should be treated as sensitive and never exposed in client-side applications. Frontier dumps it in a JSON response to anyone with a 6-character code and a last name. Thanks Frontier, very cool.

Payment Data

Credit card details: accountNumber "XXXXXXXXXXXX7586" (last 4), expirationDate, BIN range, cardholder name, billing address including street/city/state/zip, billing email, billing IP address, authorization code, and payment amount ($609.88). All from one API call.

The binRange field in the JSON is the first 6 digits of the credit card number (the Bank Identification Number). Combined with the last 4 visible in accountNumber, that's 10 of 16 digits known. The 16th digit is deterministic (it's a Luhn check digit, calculated from the other 15). That leaves 5 unknown digits in the middle, which is ~100,000 possible combinations. That's not a theoretical attack, that's a for-loop.

Internal System Comments

Internal system comments logging every SMS and email notification sent to the passenger. "SMS Sent to [phone number]", "Email notify-gate-change sent to [email]@gmail.com". The API leaks contact info again through the notification logs even if you somehow missed it in the passenger data.

These comments are...

number name frontier boarding pass full

Related Articles

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

German ruling declares Google liable for false answers in AI Overviews

ahlCVA15 ptsgoogle court search overviews content users
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.