A security researcher found that two pieces of info printed on every Frontier boarding pass unlock passports, home addresses, and near-complete credit card data. The airline’s response after three months? A model airplane.
Travelers who posted a boarding pass photo at the gate—or left a crumpled one in the seatback pocket—may have handed attackers everything needed to access their most sensitive personal data. Security researcher BobDaHacker documented that Frontier’s mobile API returns a full internal booking record—passport numbers, home addresses, children’s dates of birth, near-complete credit card details—when queried with just a six-character booking code and a last name. Both are printed in plain text on every boarding pass, according to independent reporting from TechSpot and Tom’s Hardware.
What Actually Gets Exposed
The API returns a disturbingly complete dossier on every passenger tied to a booking.
For every person on the reservation, including minors, the API returns:
- Full home address, email, phone number, and date of birth
- Complete, unmasked passport number, issuing country, expiration date, and nationality
- Known Traveler Number (the TSA PreCheck identifier)
- Credit card first six digits, last four digits, expiration date, cardholder name, full billing address, and payment history with authorization codes
That “partial” card data is practically a complete card number. The first six and last four digits leave only five unknown middle digits—roughly 100,000 combinations. Automated tools work through that range trivially. Add the full billing address, which satisfies most merchants’ Address Verification checks, and the CVV is the only remaining secret. According to BobDaHacker’s analysis, many online merchants don’t strictly require it. These kinds of oversights are part of a long history of tech scandals in which corporate data failures leave millions of users exposed. “That’s it. That’s the security.” — BobDaHacker, describing an API authentication system reduced to two data points printed on every boarding pass
Three Months of Silence and a Model Airplane
Frontier let a formal disclosure deadline expire without response, leaving the most severe flaws live in production.
BobDaHacker first notified Frontier on March 3. A formal 30-day deadline was set for June 12. Frontier reportedly let it pass without response. The airline’s only documented action: patching one lower-severity endpoint and mailing the researcher a model airplane. As of the mid-June public disclosure, the passport- and card-dumping API remained exploitable. No public statement from Frontier. No remediation timeline. Cases like this echo the methods used in a covert surveillance app built to harvest personal data without users’ knowledge.
A former Frontier employee, writing after the disclosure went public, described the booking engine as “a mess of generated config and code that only one person was senior enough to touch.” This is the codebase equivalent of still running Windows XP because nobody remembers the admin password—except it’s handling your passport data.
Treat boarding passes like bank statements: shred them, and stop posting them online. Monitor your card activity if you’ve flown Frontier recently, and consider placing a fraud alert if you’re concerned. This isn’t just one budget carrier’s problem—it’s what happens when the industry bolts modern APIs onto legacy systems and calls it secure.
