Frontier Airlines is allegedly exposing passengers' passport details, home addresses, and partial payment information through vulnerabilities in its online booking system, according to a security researcher who says sensitive booking data can be accessed using only a booking reference and surname, details printed on boarding passes and embedded in barcodes. The alleged flaw, reportedly disclosed months ago, remains unresolved.
A discarded boarding pass may carry more risk than expected, with a security researcher claiming Frontier's system has been exposing passport data, addresses, and partial credit card information through booking system weaknesses.
The vulnerabilities allegedly require only a booking reference and surname, both printed on boarding passes, allowing potential access to sensitive passenger records. Despite being notified months ago, the issues reportedly remain unpatched.
Simple Boarding Pass Details
The vulnerabilities were uncovered by security researcher BobDaHacker, who revealed that Frontier's mobile application programming interface and booking management pages allegedly provide unrestricted access to passenger records.
Using only a six-character Passenger Name Record and a traveller's surname, both of which appear on boarding passes and are stored within the barcode, users could reportedly retrieve the complete booking profile for every passenger listed under the reservation.
According to the findings, the exposed information includes full home addresses, email addresses, telephone numbers, dates of birth, passport numbers, passport issuing countries, expiry dates, Known Traveller Numbers used for TSA PreCheck, Frontier Miles loyalty account numbers, and payment information linked to the booking.
The researcher first reported the vulnerabilities to Frontier Airlines on 3 March. More than 100 days later, the issues were still reportedly active, raising concerns over how long passenger information may have remained exposed.
Payment Details Raise Fresh Security Concerns
Although Frontier does not appear to expose complete credit card numbers, the leaked payment information has still alarmed cybersecurity experts.
The booking records reportedly reveal the first six digits of a payment card, known as the Bank Identification Number, together with the final four digits, expiry date, billing address and cardholder name.
BobDaHacker explained that this combination leaves only five unknown digits in the middle of a standard 16-digit card number. Since the final digit is generated using a mathematical formula known as the Luhn algorithm, attackers could theoretically calculate valid card numbers by testing around 100,000 possible combinations through automated scripts.
While additional security measures such as CVV codes would still be required for many online purchases, the exposed payment data significantly increases the amount of information available to cybercriminals attempting identity theft or financial fraud.
The researcher also found that Frontier's 'Manage My Booking' pages exposed passport numbers, dates of birth and Known Traveller Numbers directly within webpage source code, even after previous attempts to address other privacy issues.
Legacy Booking System
Following publication of the research, a former Frontier employee reportedly contacted BobDaHacker to explain the possible reasons behind the vulnerabilities.
According to the former employee, the booking platform had long been considered outdated within the company and was expected to be replaced by a newer system. They described the existing booking engine as a complex collection of legacy code and generated configurations that very few employees fully understood.
The former staff member claimed only one senior engineer possessed the experience needed to safely modify large sections of the platform, while others largely avoided making significant changes due to concerns about breaking the system.
Although these comments have not been independently verified, they have added further attention to questions surrounding Frontier's technology infrastructure and whether ageing systems contributed to the reported security weaknesses.
Frontier Yet To Publicly Respond
BobDaHacker said the disclosure followed responsible security reporting practices.
The researcher initially contacted Frontier in early March before sending several follow-up messages and eventually providing a formal 30-day deadline that expired on 12 June. According to the disclosure, Frontier addressed one vulnerability that allowed booking information to be accessed using only the booking reference, but the remaining flaws were allegedly left untouched.
As of publication, Frontier Airlines has not issued a public statement addressing the reported vulnerabilities or confirmed whether passenger information has been accessed by unauthorised individuals.
