Frontier Airlines is leaking your passport and credit card details from a boarding pass

A hot potato: A security researcher has discovered serious vulnerabilities in Frontier Airlines’ booking system. Using just two pieces of information printed on every boarding pass – a booking code and a last name – anyone can pull full passport numbers, home addresses, TSA PreCheck codes, and nearly complete credit card details from the airline’s API. The vulnerabilities have been known for over three months.

If you’ve ever flown Frontier Airlines and your boarding pass ended up in a photo, a trash can, or a social media post, your personal data may be accessible to anyone right now.

A security researcher going by BobDaHacker published a detailed disclosure this week revealing that Frontier’s mobile API and booking management pages expose the full personal records of every passenger on a reservation to anyone armed with a booking code and a last name.

Both are printed on every boarding pass, and both are encoded in the barcode. The researcher first reported the issues to Frontier on March 3. It is now June 18, 105 days later, and the critical vulnerabilities remain live.

The attack is straightforward. Frontier’s mobile API endpoint accepts a six-character PNR (Passenger Name Record) and a last name, and returns a full internal booking object that includes, for every passenger on the reservation:

• Full home address (street, city, state, ZIP)
• Email address and phone number
• Full date of birth, including for minors
• Complete, unmasked passport number, issuing country, and expiration date
• Known Traveler Number (TSA PreCheck identifier)
• Frontier Miles loyalty number
• Credit card BIN (first 6 digits), last 4 digits, expiration date, cardholder name, and full billing address
• Payment history with authorization codes
• The credit card math

The payment exposure is more serious than it sounds. BobDaHacker explains that the BIN (the first six digits of a card number) combined with the last four digits already visible leaves only five digits unknown. The 16th digit is a deterministic Luhn check digit, calculable from the other 15. That means approximately 100,000 possible combinations for the remaining middle digits – trivially iterable in a script.

With the cardholder’s name, expiration date, and full billing address (which satisfies AVS verification for card-not-present transactions) also exposed, the CVV becomes the sole remaining security control.

Beyond the mobile API, BobDaHacker found that Frontier’s website leaks data through its own “Manage My Booking” pages. The Passengers/Edit page, reachable with the same PNR and last name, displays full passport numbers, dates of birth, and KTNs, and also embeds them in a server-rendered JSON blob in the page source.

When Frontier attempted to fix an earlier email leak on the Manage My Booking page, it introduced two new leaks – one of which also exposed phone numbers.

There was also a fourth vulnerability: an endpoint that returned booking data from a PNR alone, with no last name required. That one Frontier did fix. The company also sent the researcher a model airplane. The rest remains unpatched.

A former Frontier employee who reached out after BobDaHacker’s post went live offered some context for why the codebase might be in this state. “IBE was already considered a legacy codebase,” he wrote, referring to the booking system visible in the researcher’s screenshots. “We were talking about sunsetting it and replacing it with a cleaner, more modern solution. IBE was a mess of generated config and code that only one person was senior enough to touch. Everyone else basically danced around it.” The employee added that the security incident came as no surprise given the workplace culture they’d experienced.

BobDaHacker followed standard responsible disclosure throughout, with an initial report on March 3, multiple follow-ups, and a formal 30-day deadline set for June 12 that Frontier let pass without response. As of writing, Frontier has not issued a public statement.