Frontier Airlines API leaks passenger data from boarding pass scans

Key Takeaways

• Anyone with a boarding pass barcode and last name can pull a passenger's full personal info via Frontier's API
• Exposed data includes home address, passport details, TSA PreCheck codes, and 11 of 16 credit card digits
• Frontier's partial fix still leaves critical vulnerabilities active three months after disclosure

Frontier Airlines' website and mobile API expose passengers' full personal information to anyone who can scan a boarding pass barcode, according to security researcher BobDaHacker. The flaw, disclosed over three months ago, lets attackers retrieve home addresses, passport numbers, TSA PreCheck codes, and most credit card digits using just a six-character booking code and a last name. Frontier has partially patched the issue, but the core vulnerability remains live.

The attack is embarrassingly simple. Every boarding pass contains a Passenger Name Record (PNR), a six-digit alphanumeric code printed in plain text and encoded in the pass's barcode. Feed that PNR and the passenger's last name into Frontier's mobile API, and the system returns a payload containing the passenger's home address, email, phone number, full date of birth, complete passport data, payment history, and 11 of the card's 16 digits. The only pieces missing are the middle five digits and the CVV.

Why is the TSA PreCheck leak so dangerous?

Among the exposed fields, the Known Traveler Number (TSA PreCheck code) stands out. That number is tied to a passenger's vetted identity and grants expedited security screening. If stolen, it could theoretically let an identity thief bypass standard TSA checks by impersonating the original holder. For airlines and federal security, this is not a privacy inconvenience. It is a checkpoint integrity problem.

The credit card exposure is nearly as bad. With the first six and last four digits visible, plus the cardholder's name and expiration date, brute-forcing the middle five digits becomes computationally trivial. That leaves only the three-digit CVV as the final barrier. Merchants that skip CVV verification, or attackers who phish the CVV separately, can complete the fraud.

What did Frontier actually fix?

Before BobDaHacker's disclosure on March 3, the PNR alone was enough to pull passenger data. The six-digit code could even be brute-forced by looping through combinations. Frontier's patch added a second factor: the system now requires the passenger's last name alongside the PNR. Since both are printed on the boarding pass, the fix does little to stop anyone who photographs, scans, or glances at a pass in an airport.

Worse, the researcher found that Frontier's booking management pages on the web expose the same data in their HTML source code and API calls. The "Manage My Booking" page leaks name, email, and phone number. The "Passengers / Edit" page reveals full passport details and TSA PreCheck numbers. In one case, Frontier's attempted fix for a data-leaking page introduced even more exposure than the original version.

How did Frontier respond to the disclosure?

BobDaHacker followed standard responsible disclosure. They contacted Frontier on March 3, followed up on March 9, and attempted to give the company 90 days to patch before going public. Frontier fixed the brute-force loophole and sent the researcher a model plane. Compensation discussions began, but Frontier reportedly flip-flopped on a proper response. As of publication, the critical API vulnerabilities remain active.

"Frontier's passengers deserve better," BobDaHacker wrote in their blog post. The researcher has now published full technical details, including proof-of-concept demonstrations.

What should travelers do now?

The immediate advice is to treat boarding passes as high-risk identity documents. Do not post photos of them on social media, even with the name redacted. The barcode encodes the PNR in plaintext, so anyone can extract it with a free scanner app. After travel, shred the pass. If you suspect your data has been accessed, monitor your credit card statements and consider a credit freeze.

• Never photograph or share your boarding pass publicly
• Shred boarding passes after use
• Monitor credit card statements for unauthorized charges
• Consider a credit freeze if your PNR was exposed

Discussion on Reddit's r/cybersecurity and r/frontierairlines threads has been blunt. Users are calling Frontier's handling negligent and urging travelers to assume their data is already compromised if they flew Frontier recently.

Frequently Asked Questions

What information does the Frontier Airlines data leak expose?

The vulnerability exposes passengers' home addresses, full passport details, email, phone number, date of birth, TSA PreCheck codes, payment history, and 11 of 16 credit card digits.

How can someone access another passenger's data?

By scanning a boarding pass barcode or noting the PNR and last name, then querying Frontier's mobile API. Both pieces of information are printed on the boarding pass.

Has Frontier Airlines fixed the vulnerability?

Frontier patched the brute-force attack on PNRs, but the core API flaw that exposes passenger data using a valid PNR and last name remains active.

What should Frontier passengers do to protect themselves?

Never share boarding pass photos, shred passes after travel, monitor credit card statements, and consider a credit freeze if you suspect exposure.

Why is the TSA PreCheck exposure particularly serious?

The Known Traveler Number is tied to a vetted identity and grants expedited security screening. If stolen, it could potentially be used to impersonate the original holder at TSA checkpoints.

Source: Latest from Tom's Hardware