A vulnerability affecting hundreds of airlines around the world allowed non-ticketed passengers to find and print someone else's boarding pass for a future flight.
Thankfully, the security hole has now been closed.
It was related to a vendor named Amadeus and its self-service check-in software for airline passengers.
BankInfoSecurity covered the story:
It was possible to download valid boarding passes—not belonging to the user—for future flights due to an insecure direct object reference weakness within the application. Insecure direct object reference or IDOR vulnerabilities occur when an application provides direct access to objects based on user-supplied input, bypassing expected authentication and user access controls.
