Hacker discovers US government “No Fly List” on airline test server

“Maia arson crimew” looked at an unsecured CommuteAir server out of boredom. There she found a 2019 FBI no-fly list.

Since the terrorist attacks of September 11, 2001, the FBI’s “Terrorist Screening Center” has kept centralized lists of people who are considered security risks or terrorist suspects. These people have to endure an extended security check on every flight or are not allowed to board the aircraft at all. Such a secret list has now fallen into the hands of the Swiss hacker “Maia Arson Crimew”, who was involved in the Verkada hack, among other things. She found an 80 MB file called Nofly.csv on an unsecured test server of the US airline CommuteAir.

The list contains around 1.5 million names, mostly from the Arab or Middle Eastern environment; however, there are also numerous Slavic and Spanish-sounding names among them. According to the news site The Daily Dot, suspected members of the Northern Ireland terrorist group IRA are also on the list. The hacker, therefore, assumes that it is the authentic no-fly list. The data is from 2019 and was redacted by the airline concerned, CommuteAir, so that it only contains the people’s names and dates of birth.

The airline confirmed the incident to “The Daily Dot” and took the server offline before the publication of “The Daily Dot”. CommuteAir has informed the Transportation Security Administration, the security authority responsible for air traffic, which it says will investigate at the federal level.

As the hacker writes in her blog, she rummaged around in the Zoomeye computer search engine out of boredom and came across CommuteAir’s unsecured test server, which was running the Jenkins automation software. Messages from the Aircraft Communications Addressing and Reporting System (ACARS) piqued her interest, so she researched what was on the server. In addition to credentials for the airline’s various Amazon AWS instances, Maia also found several lists of names on the server: employee_information.csv, nofly.csv, and selectee.csv. According to Maia, the latter is a list of people who have to endure extensive security checks on every flight.

The hacker now wants to make the data accessible to groups of people who have a legitimate interest in it. She is aware that the lists contain confidential information, but she believes that it is “in the public interest to make this list available to journalists and human rights organizations”.

In August 2021, the Ukrainian security researcher Volodymyr Dyachenko also found a – probably even more up-to-date – list of suspected terrorists. At that time, too, a database lying freely on an Elasticsearch cluster with a Bahraini IP address was freely accessible to everyone and contained not only the names of 1.9 million people but also, for example, their citizenship, gender, date of birth, passport number and flight status.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s