The “No Fly List” Has Become Publicly Available

The American airline CommuteAir accidentally left on an insecure server a list of persons who should not be allowed on board aircraft flying to or from the United States (the so-called “No Fly List”).

This database, containing more than 1.5 million records, was discovered by the researcher.

The Swiss hacker maia arson crimew, who considers himself a hacktivist, reported his discovery to The Daily Dot. In the past, this person was known as Tillie Kottmann, but recently officially changed his name to the above.

Let me remind you that in 2021, the US authorities filed charges against arson crimew, claiming that the hacker was involved in hacking more than 100 companies and leaking confidential data (for example, the incident with Nissan was strange). Although Switzerland does not have an extradition treaty with the United States, now arson crimew cannot leave his native country, fearing an international warrant, which, most likely, has already been issued by Interpol.

The researcher told reporters that he was just bored and rummaged through the IoT search engine Zoomeye (Chinese equivalent of Shodan) when he discovered another unsecured Jenkins server, of which there are plenty on the Internet.

On this particular server, the abbreviation ACARS (Airborne Communications Addressing and Reporting System) and numerous references to the word “crew” (“crew”) attracted the attention of arson crimew, after which it turned out that the unprotected car belonged to CommuteAir.

The server, open to the public, stored a variety of data, including the personal information of approximately 9,000 CommuteAir employees, flight directions, and the researcher found that he could easily access flight plans, aircraft maintenance information, and other data.

Also, there was eventually found a file containing a copy of the so-called “No Fly List”, dated 2019. This list contains over 1.56 million entries and includes names and dates of birth, although many entries are duplicated.

Such bases appeared in the early 2000s, after the September 11 terrorist attacks. At first, they contained only a few dozen names (mostly people who are “known or reasonably suspected of involvement in terrorist activities”), but after the attacks and the creation of the Department of Homeland Security, the lists began to grow rapidly.

The exact number of people currently on the No Fly List is unknown, and the lists contain multiple entries per person, but the latest estimate is between 47,000 and 81,000 people.

Representatives of CommuteAir confirmed that the leak did indeed take place and was due to an incorrectly configured development server.