December 19, 2025

Fasten seatbelts: comment turbulence

Article URL →HN comments →

Reverse Engineering Major US Airline's PNR System and Accessing All Reservations

Avelo’s booking code blunder sparks snark, applause, and a bug bounty fight

TLDR: A researcher found Avelo’s booking system leaked reservations with only a booking code; the airline fixed it fast. Commenters argued over calling Avelo “major,” slammed the writeup’s sensational, AI vibe, and asked about missing bug bounty—while many still cheered the responsible disclosure and quick patch.

Forget the tech jargon: a researcher noticed Avelo Airlines’ booking page would cough up full reservation details if you had the six-character code—no last name required. That’s the info in your Passenger Name Record (PNR), basically your travel file. Discovered Oct 15, fixed by Nov 13, published Nov 20, and Avelo owned it with fast, professional disclosure. But the comments took off. One user deadpanned, “Major? Avelo?”, and a pile-on followed, arguing whether the airline is big enough to headline. Another crew rolled their eyes at the prose: “Annoying sensationalist writing,” with accusations the post reads like it was co-written by AI.

Yet the applause section was loud too: “Great work” and “impressive find,” along with memes about brute-forcing booking codes being a “six-hour Black Friday for hackers.” People translated the math into jokes: if the “hit rate” is 1 in 270, you’d start pulling stories faster than complimentary pretzels.

The spiciest fight? Money. Commenters asked, “Sounds like no bug bounty?” sparking a debate over ethics versus compensation—should a company pay for a lifesaving fix, or is kudos enough? Others defended Avelo’s playbook: fast patch, clear communication, respectful tone. Verdict from the crowd: the vuln was real, the fix was swift, and the headline… maybe a bit economy-plus

Key Points

  • A vulnerability in Avelo Airlines’ reservation system allowed access to full booking details using only a 6-character confirmation code.
  • The system lacked last-name verification and rate limiting on reservation endpoints, enabling feasible brute-force attacks.
  • Keyspace was 36^6 (~2.18 billion); at 100,000 req/s, all combinations could be tried in ~6 hours with a small server cluster.
  • An estimated 8 million tickets implied a ~1/270 hit rate, meaning sensitive data could begin returning quickly.
  • Discovered Oct 15, 2025; Avelo responded Oct 16, patched Nov 13, and the researcher verified fixes before publishing Nov 20.

Hottest takes

"Major? Avelo?" — mattmaroon
"AI was overused in authoring the writeup" — Nextgrid
"Sounds like no bug bounty?" — mtlynch

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.