It’s very hard for management, even IT managers, to fully understand what such things mean.

I’ve seen huge issues, like exposed keys, being treated as a small issue. While an outdated js library, or lack of ip6 support being escalated.

I’m sure TSA and their partners wants to downplay potential exposure, I’m also sure it’s hard for a lot of their managers to fully understand what the vulnerability entails (most likely their developers are downplaying their responsibility and pointing fingers at others)

TSA is security theater, it is there to give the illusion of security. In reality it seems more like the goal is the entrenchment of surveillance and the appearance of strength.

> It's interesting to see that DHS seemingly (initially) handled the report promptly...

I think DHS mid level manager yelled at a TSA mid level manager who reported this to the senior TSA officials and then their usual policy kicked in... deny/deflect/ignore

What was surprising to me was that they didn't immediately do pre-dawn raids on the pentesters' homes and hold them without a lawyer under some provision of an anti-terror law.

[flagged]

You're not wrong, but I would have a hard time as a jury member convicting them of a CFAA violation or whatever for creating a user named "Test TestOnly" with a bright pink image instead of a photo.

If they had added themselves as known crewmembers and used that to actually bypass airport screening, then yeah, they'd be in jail.

If anyone from there reads the parent, they should know they have created an atmosphere where the worry of possible prosecution over responsible disclosure has the potential to scare away the best minds in our country from picking at these systems.

That just means the best minds from other, potentially less friendly countries, will do the picking. I doubt they will responsibly disclose.

DHS officially uses bugcrowd, for what it's worth.

https://bugcrowd.com/engagements/dhs-vdp

They've had that relationship for a few years now, so I'm guessing they're somewhat versed. TSA specifically might be less so, but I can't imagine the DHS referring anything to the DOJ for prosecution given that they both have a VDP for the entire department and advise other departments on how to run VDPs (via CISA).

But I might just be overly optimistic.

In some countries where this is the norm, like Germany, the usual route is to report the issue to journalists or to non-profits like the CCC and those then report the issue to the government agency/company. This way you won't get prosecuted for responsible disclosure. Alternatively an even safer route is to write a report and send it to them anonymously with a hard deadline on public/full disclosure, won't get any credit for the discovery this way of course.

The statute of limitations is long and HSI often delays their indictment until the investigation is mostly wrapped up.

The timeline mentions the disclosure was made through CISA, and on their website there is an official incident report form.

I can imagine an email to some generic email address could have gone down the way you describe, but I guess they look at these reports more professionally.

https://myservices.cisa.gov/irf

Good catch. Of course, different people wear different shades of hat, and I guess the author might have good rationale for going quite as far as they did, I don't know.

Kudos to the author for alerting DHS. Methodology questions aside, it sounds like the author did a service, by alerting of a technical vulnerability that would be plausible for a bad actor to seek out and successfully discover.

But regardless, I hope any new/aspiring security researchers don't read this writeup, and assume that they could do something analogous in an investigation, without possibly getting into trouble they'd sorely regret. Some of the lines are fuzzy and complicated.

BTW, if it turns out that the author made a legality/responsibility mistake in any of the details of how they investigated, then maybe the best outcome would be to coordinate publishing a genuine mea culpa and post mortem on that. It could explain what the mistake was, why it was a mistake, and what in hindsight they would've done differently. Help others know where the righteous path is, amidst all the fuzziness, and don't make contacting the proper authorities look like a mistake.

I mean... they still might if the wrong people end up getting embarrassed by this. The wheels of bureaucracy are slow.

This used to be a question on the Triplebyte interview almost verbatim, and a huge percentage of (even quite good) engineers got it wrong. I'd say probably <20% both salted and used a cryptographically-secure hash; MD5 specifically came up all the time. And keep in mind that we filtered substantially before this interview, so the baseline is even worse than that!

The md5 part of the sqli is added by the pentester, likely because they needed a call that would end in a parenthesis within the injection parameter

This is exactly the kinda bug where you want to make a big splash though. You don't just want the guy to silently fix it, everyone in the database needs to be vetted again.

Whatever their motive was, the engineering process that allowed such a common bug to sneak in is broken. If the sole developer immediately fixed it, it would have been hard to escalate the issue so that maybe someone up the chain can fix this systematically. I'm not sure such overhaul would really happen but it's more likely that it won't if not escalated.

Agreed that they wanted to fully understand the extent of the hack before disclosing

I came here to say this. Totally uncalled for not to contact the site first that had these holes and instead go to homeland security.

The author made the right move by doing this through FAA and CISA (via DHS), rather than directly via TSA. It's not inconceivable that a direct report to TSA would have resulted in legal threats and bluster.

Those kind of wheels turn very slowly. I will bet any takers $50 that Ian will be prosecuted.

This should be news lol, I’m surprised a bored year 17 year old with a fake id hasn’t made a TikTok sneaking on board a plane. Sql injection ffs

Does anyone remember Bruce Schneier and his faked boarding passes? The TSA scribble used to be the weak point of the entire system.

The "airlines" that are using something like FlyCASS are themselves smaller operations and typically running on razor thin margins (if not just unprofitable and wishfully thinking that money will suddenly appear and make their business viable). Literally everything on their backend is held together with more duct tape than the average small business.

You could be an "airline" by purchasing a couple of older airliners and converting them to cargo use. Is it valuable for new airlines to get started? Should we force them out of business because they don't already have the systems in place that take years to decades to build out? Should they pay $$$ for boutique systems designed for a large passenger airline when they have 2 aircraft flying 1 route between nowhere and nowhere?

Requirements and audits really aren't the answer here. The fundamental design problem is that the TSA has used authentication "airline XXX says you're an employee" with a very large blanket authorization "you're allowed to bypass all security checks at any airport nationwide" without even the basic step of "does your airline even operate here?"

And what will homeland security or the FBI get out of it after concluding that that these "dudes" are two well known talented security researchers trying to conduct responsible disclosure to make air travel safer?

Pretty much, although most TsA check lines no longer require even a boarding pass- so in theory you could pack a bomb with you then bypass all the security theater with this.

Sounds like you get to sit in the cockpit too?

If there are any criminal charges here it will be for the reporters. Not the developers.

To think otherwise is beyond naive.

Only malicious foreign actors are encouraged to survey the security of systems of national interest, since they can't easily get prosecuted. Systems working as intended.

I disagree. Give me an example of a white hat hacker in Germany going to jail.

Real reason: the dev would fix it and they'd be stuffed. That doesn't encourage the DHS to actually look into the issue and see what else is broken.

This is confusing to me as well. You could always escalate later, right?

You'd need more than this to board an aircraft, but who's to say that the goal of an attacker is to board an aircraft?

At the very least it sounds like you can get the password of many users (MD5 isn't exactly secure) and if they're sharing passwords then that's bad for them. You can also gain admin access and mess around with the site practically undetected for an indefinite amount of time.

Because you can't get near the pilots anymore, and because everybody assumes a hijack is suicidal and reacts accordingly.

Maybe a SQL injection gets you onto the plane, but crashing that plane gets your country destroyed and the neighboring ones bombed for good measure.

What the US lacks in cybersec, it tends to make up for with IRL pew pews...

I am sorry, are you non-sarcastically arguing that being able to pass through airport security, potentially accessing cockpits and planting bombs onboard airplanes, with a high-school level SQL injection on a federal website used by dozens of airlines & airlines employees, is actually, "fine"?

Besides, I am not sure what sort of "security through obscurity" you are talking about? Ian and Sam found it, and frankly - with a public page, page title + first h1 tag clearly stating that this relates to a Cockpit Access system, this has got to show up in a shit ton of security research search engines instantly.

Every person working in security, or even familiar with security, would know how to exploit this. It was a ticking time bomb. And it gives you admin access to the entire system. People could have already have exploited it and we wouldn't even know.

I'm not sure I'd write this off because having a weak spot like this and information gained could lead to more discovery of the obscure. It's never a good security design to rely on someone never finding my secret API routes that I named after my co-workers that I despised

I agree they shouldn't have written it in such a "now let me embarrass you and show how right I am" way (and they also should have shown a lot more awareness of how embarrassing this was and, also of how: while infosec is super important, there are other priorities that need to be protected in how this is disclosed, too -- especially if they are hoping for constructive engagement with the orgs involved which, like it or not, is what practical security requires, if your point in disclosing is to make a meaningful positive difference, which is really important given the scale/scope of this vulnerability), but I don't think it worked out bad for these two judging from their Twitter feeds. I don't know them, but:

Two guys from (or based in) the Midwest:

Ian did his first DEFCON talk a couple weeks ago (https://x.com/iangcarroll), and Sam (the other author), was the guy that a couple years back Google accidentally sent 200K USD to, and has 81K X followers, and was recently singing the praises of that much lauded recent PHRACK article on "Hacking means understanding the world" (that was also popular round here): https://x.com/samwcyo/status/1823571295189008601

They both seem like legit security researchers from their X feeds.

I guess that petulance-tinged adolescent attitude is like the secret handshake of the security researcher world, which sounds too disparaging -- but it's not meant to be...only that probably that's what you need to expect from folks who "understand the world", where they're smarter, what's broken, and should be fixed.

I get how that attitude rubs people the wrong way and causes more harm than good - but I don't mind it much myself - I guess I just set high expectations for the kind of impact such folks could have, and I think they could have more impact if they adopted a more professional, collegiate attitude in their way of working.

But I guess that comes with the territory. Because it's really only the "outsiders" who will sit around poking at things to figure out how they work, and how to fix em, make em better. Those who feel themselves to be "rejects' from the normal world, in sense, are always gonna carry a bit of the tinge of that perspective with them. But, whaddayagonnado? Those are really only gonna be the ones who "understand the world", so you have to rely on them. Odd couples, that pairing. Between industry and these hackers.

Reminds me of the guy that created a simple one-page website to make fake boarding passes, only to get into controlled areas of airports (not to actually fly).

<knock> <knock>'d

They should just leave the system wide open?

I found the pink picture underwhelming. So many possibilities, yet a missed opportunity.

> FlyCASS seems to be run by one person

Bobby is growing up

> Hilarious that the entire TSA system is vulnerable to the most basic web programming error that you generally learn to avoid 10 minutes

The article mentions that FlyCASS seems to be run by one person. This isn't a matter of technical chops, this is a matter of someone who is good at navigating bureaucracy convincing the powers that be that they should have a special hook into the system.

What should really be investigated is who on the government side approved and vetted the initial FlyCASS proposal and subsequent development? And why, as something with a special hook into airline security infrastructure, was it never security audited?

That's bc TSA is all theatre. They fail Homeland Security audits more often then they pass. [1]

It's supposed to give you the illusions of security while giving a DHS a bigger budget, and it employs a lot of low skilled workers.

It is what you should think of when you think "big, dumb government."

[1] https://abcnews.go.com/US/tsa-fails-tests-latest-undercover-...

Having done software development with other federal agencies, they probably outsourced maintenance of critical national security mandates to Deloitte who has a team with managers in India running everything with a completely counterproductive culture of hubris solely to make the two managers look good, and anybody that questions that gets terminated in a week

Authoritarians don't like being challenged like this and it tends to enrage them. Its not unheard of for them to arrest/imprison well meaning security researchers who rightfully point out their own failings.

That's a problem with authoritarian organisations/regimes in general. They value loyalty over competence and you end up with people being in positions they shouldn't be in.

For an overtly authoritarian institution it actually surprises me they do the old delete and pretend it never happened approach to basic security.

> Hilarious that the entire TSA system is vulnerable to the most basic web programming error

Because it's a scam and the system is a grift.

I'm a pilot and own a private aircraft. Landing at any airport, even my home airport which is restricted by TSA is legal without any special requirement or background check. In fact, I have heard horror stories where TSA wouldn't let a pilot retrieve their aircraft for some bullshit administrative reason or another, so they enlisted a friend with a helicopter to drop them into the secure area to fly it out. Perfectly legal. The fact that the system can be brought down with a SQL attack is the least of it.

It sure would be nice if someday we get to have some TSA-free airlines and TSA-free flights for people that don’t want to get sprayed by ionizing radiation before every flight but don’t fly often enough to warrant a yearly membership fee. It would be interesting to see what people choose if a choice is available.

We haven’t had a large commercial plane go down in over 10 years since 9/11. Everyone that comes to the USA has been fully screened, vetted, and background checked. We’re all very safe. Mayorkis at the DHS has made sure there aren’t any terrorists in our homeland because the government only exists to protect us from danger and make our lives better.

I find it amusing (actually more tragic than amusing) that the same politicians who tell us all day that corporations can't be trusted because they are run by people with character flaws (greed, lying, laziness, etc.); will turn around and tell us that handing more power and influence over to a government agency is a good idea.

They make it sound like the job pool between the public and private sector is completely separate when many people move back and forth between the two.

Take away the accountability that often governs the private sector and that seems to be the recipe for situations like this.

Being that CISA is under the same parent org of TSA that there should be ongoing internal evaluation/remediation of sibling services.

https://www.cisa.gov/

In practice, these systems get stronger rather than imploding. Any failure becomes a justification for more power that they can use to "prevent this from ever happening again". A system that ran smoothly and never had issues wouldn't be able to grow like this (and might even shrink as people start to take it for granted).

True but even though I’ve always been careful to escape sql, I’ve also made an oversight once by writing a custom SQL filter and missing to escape it. The code reviews also missed it (we were so used to the framework solving it for us). Luckily a pen test found it and was only shortly in production.

It might have been an insanely old application that predates SQL injection being common knowledge (or required to be protected against) and has been forgotten about/poorly maintained.

There are oodles and oodles of apps like this powering our daily lives.

[dead]

TBF, TSA =/= 'Trained SQL Administrator' - so we can't hold _that_ against them...

[flagged]

Looks to me like there's a reason this vulnerability exists ... for example, to help certain people have a simple way to avoid TSA searches and/or credential checks.

really feels like SQL should have never been written in such a fundamentally insecure manner, or immediately fixed once it was discovered that it was

I believe the biggest increase in security since 9/11, is that passengers are no longer expected to sit down and behave.

Pre-9/11, the expectation was you don't draw attention to yourself, wait it out, you're going to have a long day and a story to tell. Post-9/11, the expectation is you fight for your life.

Better cockpit doors and access hygiene probably come second.

> zero difficulty replaying 911.

The attacks of September 11th 2001 are fundamentally not reproducible irrespective of whether there is _any_ security screening at airports.

The default assumption before that morning was that a hijacked plane would fly around for a bit, then land. The default assumption afterwards is that it will be crashed if a hijacker is allowed to gain control, so the calculus on passenger intervention is quite different.

Maybe I am a naive idiot, but I would assume that other agencies like the FBI provide some protection even if TSA is not great. I occasionally see notable examples, like the CIA being responsible for discovering planned attacks on the recent Taylor Swift concert in Vienna that was then canceled.

The real reason is that people make mistakes all the time. There is no shortage of potential mass murderers, are there are plenty of successful ones. But if their plans are too ambitious or involve too many people, they tend to fail due to stupid mistakes. And when those stupid mistakes happen, security agencies (and even ordinary police) have a good chance of catching them.

> The reason there aren't more terrorist attacks isn't because various security agencies around the world protect us from them. It's because there are extremely few terrorists.

There's plenty of terrorists, but destabilisation of Middle East diverted them away from continental US. Wasn't that the whole point of Afghanistan and Iraq wars?

It’s also just one of those hard things to prove: is TSA actually stopping attacks like 9/11? The simple presence of them might be enough of a deterrent or we might just be extremely lucky. Seems these days the real threat is drunk passengers attacking flight attendants.

It doesn't seem particularly unique to TSA. Flying elsewhere in the world has essentially identical security screening, with all the same stupidity.

I'm a little butthurt right now, in particular, about the security at Heathrow. They confiscated a bottle of whisky that we got in Edinburgh. After 10 minutes of head-scratching and consulting with a supervisor, they concluded that "it does not say 100ml" (it had "10cl" cast into the glass) and "even then, that is just the size of the bottle, not the liquid inside it." What an incredible demonstration of intelligence there.

They gave us a receipt and said we could have it shipped. We checked when we got home. 130 GBP with shipping. Ended up just buying a 700ml bottle from an importer, cost about half as much.

We as a civilization are terrible at getting over things, it seems.

They're one of the most seemingly incompetent agencies I am forced to deal with every year.

For one, why does is it that every TSA checkpoint feels like it was scrambled together? 9/11 was a long time ago. There's no reason why checkpoints can't have better signage, clearer instructions for what should or shouldn't go on a conveyor belt, an efficient system for returning containers (I've lost count of how many times the line was held up because employees didn't feel like bringing over a stack of containers in clear view), and so on. The checkpoints do seem to go a bit faster than they used to a long time ago, but it's still a frustrating process that makes me feel like an imbecile every time I use it. I do my best to follow directions, but directions are often lacking so I have to use my best judgment from past experience, and often get yelled at anyway. Do does the TSA want to be hated?

Secondly, there's been multiple occasions where I've made it through the security checkpoint with items that should obviously set off red flags. I recently made it through with a humongous center punch which, while not sharp like a knife, could do some serious damage to another person if used as a weapon. Got it through with no questions asked. I've also gotten through with scissors, knives, strangely shaped electronics, a custom build electronic device that a naive person could see as suspicious, and so on. Never have I been stopped for those things.

But laptops and e-readers? I'd better not forget one of them in my carry-on bag or I'm gonna get shouted at and be forced to re-run the bag through the scanner again. I can get through with sharp metallic tools and weird unlabeled boxes with wires hanging out of them, but I can't leave my kindle in my backpack? And what about the humongous battery packs I carry? No problem having 2 or 3 of those in my bag. I guess my Macbook Air or my e-reader possess uniquely dangerous powers I don't comprehend. Even if I try to comply with the "laptops out of your bag" rule, I might still get shouted at if I place it in a container instead of right on the conveyor belt... or if I place it in a container with some other belongings next to it.

Maybe the TSA stops terrorists that are as stupid as they are, which I guess is a good thing. But how good can stupid people be at catching other stupid people? Is it really worth it to waste everyone else's time and to treat them like crap in the process?

Yup, not surprised that the TSA also reacts with as much stupidity to cybersecurity flaws. If I became supreme leader overnight, I would work to completely dismantle the TSA and rebuild it from scratch. There doesn't appear to be any value in that agency that can't be easily replaced with something better.