A security researcher named BobDaHacker has revealed critical vulnerabilities in Frontier Airlines’ booking system. These flaws enable anyone who has the six-character booking code or PNR and the passenger’s last name, appearing on each Frontier boarding pass, to access the full individual record.
This information includes passport numbers, partial credit card details and home addresses, all of which is available through the airline’s mobile API.
The issues were first reported to Frontier on March 3, 2026. As of June 18, 105 days later, vulnerabilities persist.
What does the API expose
Frontier’s mobile API endpoint accepts a PNR and last name, then provides a complete internal booking record for each passenger on the reservation.
Available data includes full home address details such as street, city, state and zip code, as well as email address and phone number.
It also reveals unknown passport details like passport number, country of issue and expiry date as well as complete information on date of birth including for minors. Additionally, it highlights:
- Known Traveler Number, used for TSA PreCheck, and
- Frontier Miles Loyalty Number. Credit card information includes the first six digits (BIN), last four digits, expiration date, cardholder name, and complete billing address.
- Payment history data including authorization codes is also present.
Why is credit card exposure worse than it seems?
The display of credit card information is especially important. Bobdhacker explains that knowing the BIN (first six digits) along with the last four digits reveals only five digits of the 16-digit card number.
The 16th digit is a check digit generated by the Luhan algorithm, which can be calculated from the other 15 digits. This leaves approximately 100,000 possible combinations for the middle digits that can be tested with a script in minutes.
In addition to its mobile API, BobdaHacker found that Frontier’s website also leaked data through its Manage My Booking pages. The passenger/edit page, accessible with the same PNR and last name, shows the full passport number, date of birth and KTN, and the data is also embedded in a server-rendered JSON blob within the page source.
When Frontier first tried to fix an old email leak on the Manage My Booking page, it introduced two new leaks, one of which exposed phone numbers.
The fourth vulnerability involved an endpoint that returned booking data from only a PNR without requiring the last name; It was patched by Frontier.
The company sent a model airplane to the researcher as acknowledgement. The remaining problems have not been resolved.
Disclosure timeline and what marginal customers should do
BobdaHacker follows responsible disclosure practices. The initial vulnerability report was sent to Frontier on March 3, 2026, and several follow-up reports were sent over the following months.
Without Frontier’s response, the formal 30-day disclosure deadline expired on June 12, 2026. The public disclosure was published on June 18, 2026. So far, Frontier has not issued any public statements.
Anyone who has flown with Frontier Airlines should take these steps to reduce the risk of exposure:
- Never share photos of boarding passes on social media, even if you have modified personal details, as the barcode also contains the PNR and last name.
- Destroy printed boarding passes after travel rather than leaving them in the dustbin where they can be retrieved. Check credit card statements for any unauthorized charges, especially on cards used to book Frontier flights.
- If you’ve recently booked with Frontier, consider requesting a new credit card number from your bank. If your TSA PreCheck or passport details have been exposed, monitor for signs of identity theft.
Customers concerned about specific bookings can ask Frontier to remove their personal data from previous reservations, although this does not guarantee protection from future API access.
Why does Frontier’s booking system design make this vulnerability so serious?
A former Frontier employee told BobHacker that the company’s booking system, known internally as IBE, was already considered a legacy codebase.
The employee said the team was discussing plans to shut it down and replace it. “The IBE was a mess of generated configuration and code that only one person was senior enough to handle. Everyone else basically danced around it,” the former employee wrote.
This vulnerability is notable for its scale, as anyone with a Frontier boarding pass could have been affected, and for the airline’s lack of action more than three months after responsible disclosure.
The industry-standard timeline for responsible disclosure typically ranges from 30 to 90 days. The border went beyond both.
The incident also highlights a broader issue: PNRs are printed on boarding passes because they are not considered secret. Building security around boarding pass identifiers creates risks for any airline.
In the case of Frontier, their API considers the combination of PNR and last name as sufficient authentication to unlock the entire passenger record, including financial and travel document data.
Thanks for being a Ghax reader. The post Frontier Airlines API exposes passport, credit card and personal data via boarding pass information appeared first on gHacks.
