Last week, known Swiss hacker Maia Arson Crimew proved that anything terrorists can do, a self-described “mentally ill enby polyam trans lesbian anarchist kitten” can do better, stumbling across the TSA’s entire no-Fly List while browsing exposed servers.
On Thursday, January 19, Crimew, an “indicted hacktivist/security researcher, artist,” per her Twitter bio, took to her pink, kitten-filled tech blog with an alarming post recalling how “boredom” ultimately led her to inadvertently discover a small airline’s exposed server.
me and bingle on our way to get interviewed pic.twitter.com/nF48J3rHIy— maia arson crimew (@_nyancrimew) January 23, 2023
Someone leaking the entire no fly list on this fucking blog is the funniest thing I've ever seen pic.twitter.com/0uG0uZQjlb— Lucas (@PunishedLink) January 21, 2023
In her exposé entitled “how to completely own an airline in 3 easy steps,” Crimew said she stumbled across CommutAir’s unprotected Jenkins server after being tipped off by a slew of familiar keywords.
"’ACARS,’ lots of mentions of ‘crew’ and so on,” she recalled of the terms that initially piqued her interest. “Lots of words i've heard before, most likely while binge-watching Mentour Pilot YouTube videos.”
Likening her initial find to hitting the “jackpot,” Crimew, whose home had previously been raided amid a hacking-related indictment, quickly realized just how much-unadulterated power had fallen in her own two paws.
“As i kept looking at more and more config files in more and more of the projects, it dawned on me just how heavily i had already owned them within just half an hour or so,” she recalled in her now-viral post.
“Hardcoded credentials there would allow me access to navblue apis for refueling, cancelling and updating flights, swapping out crew members and so on (assuming i was willing to ever interact with a SOAP api in my life which i sure as hell am not),” she continued of the server.
After perusing the server and realizing just how much data was actually available, reaching out to “journalists interested in a probably pretty broad breach of US aviation,” she then uncovered a true digital landmine — a file ominously entitled nofly.csv.
“The nofly csv is almost 80mb in size and contains over 1.56 million rows of data. this HAS to be the real deal,” she continued, noting that she later received confirmation that she had, in fact, found a copy of the nofly list from 2019. “holy shit, we actually have the nofly list. holy fucking bingle. what?! :3.”
Avowing to share the list with “journalists and human rights organizations” citing public interest, Crimew was still seemingly taken aback by the way these documents were hiding in plain (or should we say PLANE) sight.
“I had owned them completely in less than a day, with pretty much no skill required besides the patience to sift through hundreds of shodan/zoomeye results,” she mused.
Despite garnering traction on both InfoSec Twitter and Trans Twitter before landing in the broader news cycle, it seems government officials were less-than-amused with Crimew’s post.
“TSA is aware of a potential cybersecurity incident, and we are investigating in coordination with our federal partners,” the agency told Forbes as the story went mainstream.
One small step for hackers, one giant leap for Cat Girl-kind.