Frontier Airlines API exposes passports, credit cards, and personal data via boarding pass information


A security researcher known as BobDaHacker has revealed major vulnerabilities in Frontier Airlines’ reservation system. These flaws allow anyone with a six-character reservation code, or PNR, and a passenger’s last name, both visible on every Frontier boarding pass, to access complete personal records.

This information includes passport numbers, partial credit card details and home addresses, all available through the airline’s mobile API.

The issues were first reported to Frontier on March 3, 2026. As of June 18, 105 days later, the vulnerabilities remain unpatched.

What the API exposes

The Frontier Mobile API endpoint accepts a PNR and last name, then provides a complete internal reservation record for each passenger on the reservation.

Available data includes complete home address details such as street, city, state and zip code, as well as email address and phone number.

It also reveals complete date of birth information, even for minors, along with unmasked passport details such as passport number, issuing country and expiration date. Furthermore, it states:

  • The known traveler number, used for TSA PreCheck, and the
  • The Frontier Miles loyalty number. Credit card information includes the first six digits (BIN), last four digits, expiration date, cardholder name, and full billing address.
  • Payment history data is also present, complete with authorization codes.

Why credit card exposure is worse than it seems

The exposure of credit card information is particularly significant. BobDaHacker explains that knowing the BIN (first six digits) along with the last four digits reveals only five digits of the 16-digit card number.

The sixteenth digit is a check digit generated by Luhn’s algorithm, which can be calculated from the other 15 digits. This leaves approximately 100,000 possible combinations for the middle digits that can be tested with a script in minutes.

Beyond its mobile API, BobDaHacker discovered that Frontier’s website also leaks data through its Manage My Reservation pages. The Passengers/Edit page, which can be accessed with the same PNR and surname, displays full passport numbers, dates of birth and KTN, and the data is also embedded in a server-rendered JSON blob within the page source.

When Frontier previously attempted to fix a previous email leak on the Manage My Reservation page, it introduced two new leaks, including one that exposed phone numbers.

A fourth vulnerability involved an endpoint that returned reservation data only from a PNR without requiring a last name; This was patched by Frontier.

The company sent the researcher a model airplane as a thank you. The remaining problems have not been resolved.

Disclosure timeline and what Frontier customers should do

BobDaHacker followed responsible disclosure practices. The initial vulnerability report was submitted to Frontier on March 3, 2026, and multiple follow-ups were submitted over the following months.

The formal 30-day disclosure period expired on June 12, 2026, with no response from Frontier. The public disclosure was published on June 18, 2026. As of now, Frontier has not issued a public statement.

Anyone who has flown with Frontier Airlines should take these steps to reduce the risk of exposure:

  1. Never share photos of boarding passes on social networks, even if you hide personal data, because the barcode also contains the PNR and last name.
  2. Destroy printed boarding passes after travel instead of leaving them in trash bins where they can be recovered. Check credit card statements for unauthorized charges, especially on cards used to book Frontier flights.
  3. Consider requesting a new credit card number from your bank if you recently made a reservation with Frontier. If your TSA PreCheck or passport data was exposed, monitor for signs of identity theft.

Customers concerned about specific reservations can ask Frontier to delete their personal data from previous reservations, although this does not guarantee protection against future API access.

Why the design of Frontier’s reservation system makes this vulnerability so serious

A former Frontier employee told BobDaHacker that the company’s reservation system, known internally as IBE, was already considered a legacy codebase.

The employee said the team had been discussing plans to cancel and replace it. “IBE was a mess of configuration and generated code that only one person was skilled enough to handle. Everyone else was basically dancing around it,” the former employee wrote.

The vulnerability is notable for its scale, as anyone with a Frontier boarding pass could be affected, and for the airline’s lack of action for more than three months after the responsible disclosure.

Industry standard timelines for responsible disclosure typically range from 30 to 90 days. Frontier has surpassed both.

This incident also highlights a broader problem: PNRs are printed on boarding passes because they are not considered secret. Building security around a boarding pass identifier creates risks for any airline.

In Frontier’s case, its API treats the combination of PNR and last name as sufficient authentication to unlock full passenger records, including financial and travel document data.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *