This post was originally published on medium.com.
Note: I am not a security researcher, and I do not have any advance web security knowledge, etc.
Also, I did not alter any data on the Cathay Pacific’s website and I didn't manage to use this method to change my seat. In addition, you can't get any personal data using the method I mentioned in this article.
However, I was able to view all seat maps for all Cathay Pacific’s flight.
Also, this is not something new. You actually can do the same thing using this website: www.expertflyer.com.
Cathay Pacific, if you are reading this, please DM me on Twitter.
I love flying, and I absolutely love window seat (Yes, Boeing 787’s window is amazing! It’s super big and the window dimming is just like magic).
So here’s the story. I am flying Cathay Pacific to San Francisco in the upcoming week (Hooray!). Unfortunately, my ticket fare type is Class S (Economy Save), which is not eligible for advance seat request :(
I want a window seat!!!
Maybe I can check is there any window seats left? So I went to the Cathay Pacific’s website and entered my booking reference. Then I clicked on the “Select seat” button, and this is what I saw:
All the seats are not available?
Bummer, it looks like website won’t show you the seat availability if you are not eligible for advance seat request. That’s sad for me. What should I do now?
Hello, Chrome DevTools
Well, what else I can do? Of course, I can just open the Chrome DevTools and find is there any hidden information.
So I clicked on the “Network” tab and search for the HTTP request for the seat map. Voila! This is what I found:
This is the part that makes everything interesting. What if I change the
S (Economy Save, not eligible for seat request), to
L (Economy Standard, eligible for seat request)?
So I open a new Chrome tab, edit the parameter, paste the URL, and hit enter!
No. Error. Message.
It returns the full seat map. But this time, the JSON result is slightly different.
For the first time, I can see there are some seats which are still available.
I am now looking at the unformatted JSON result right now, which is ugly. I need a proper visual for this. So I open my code editor and paste the JSON result (I can’t do the HTTP request directly to the Cathay Pacific’s server due to CORS access restrictions).
Extra: How secure is the API?
For some reason,
passengerType are not required.
As long you have the
rloc (Booking Reference Code) and the correct flight info, you will able to get the seat map. No family name and given name required!
Let’s do some quick math. Since the booking reference code is a combination of 6 digits letters and numbers, so the code combination for this is 2,176,782,336, and the total seats for the Boeing 777–300ER economy class are 268 seats.
Hence, the chance for you to guess the correct booking reference code is 0.000012311750034340594%.
I guess this is quite secure?
[Update: 2 Nov 2018] Well, I was wrong. This is not secure.
Nope. This is not good at all.
As long you have the valid booking reference (
rloc), you will able to get THE FULL SEAT MAP FOR ALL CATHAY PACIFIC FLIGHTS.
The screenshot above is the business class seat map from Hong Kong to Beijing (CX5900). And of course, I am not flying on that flight.
DO SOMETHING, CATHAY PACIFIC!
Whether I get the window seat or not, I am flying to San Francisco to attend my very first Chrome Dev Summit in the upcoming week!
(If you are joining the event) See you in two weeks! Woot woot!