Terrifying bug let anyone add fake pilots to roster used at TSA checks and skip security screenings

Flaws in a third-party app that allows smaller airlines to upload pilots and flight crew onto pre-cleared lists could have helped 'fake pilots' skip key security screenings. Flaws in third-party app FlyCASS - which allows smaller airlines to upload pilots and flight crew onto pre-cleared TSA lists - may have helped 'fake pilots' skip security checks, cybersecurity researchers said. Using a series of basic SQL injections, the security researchers were first able to gain administration privileges in FlyCASS for the small, Ohio-based cargo airline Air Transport International. Using 'SQL injection' techniques, security researchers were able to gain administration privileges in FlyCASS for small, Ohio-based cargo airline Air Transport International Carrol and Curry reported that they were able to upload a fake airline employee, named 'Test TestOnly,' and were able to authorize the fake for both KCM and CASS access The two cybersecurity researchers have now also accused the TSA of issuing 'dangerously incorrect statements about the vulnerability' - minimizing the risk it may post to air traffic TSA, according to Langston, 'does not solely rely on this database to verify the identity of crewmembers.'