FlyCASS essentially offers FAR121 and FAR135 airlines a way to manage KCM and CASS requests without having to develop their own infrastructure. It pitches itself as a service requiring zero upfront cost to airlines that can be fully set up in 24 hours, with no technical staff required.

The researchers note that each airline has its own login page, which is exposed to the internet. According to the research, these login pages could be bypassed using a simple SQL injection.

"With only a login page exposed, we thought we had hit a dead end," Carroll said in his writeup. "Just to be sure though, we tried a single quote in the username as a SQL injection test, and immediately received a MySQL error.

"This was a very bad sign, as it seemed the username was directly interpolated into the login SQL query. Sure enough, we had discovered SQL injection and were able to use sqlmap to confirm the issue. Using the username of ' or '1'='1 and password of ') OR MD5('1')=MD5('1, we were able to login to FlyCASS as an administrator of Air Transport International!" //

When it came to disclosing the findings, it seems the US authorities didn't want this coming out, if the researchers' account is anything to go by. Carroll says the DHS completely ignored all attempts to disclose the findings in a coordinated way.

He also claimed the TSA "issued dangerously incorrect statements about the vulnerability, denying what we had discovered." //

"After we informed the TSA of this, they deleted the section of their website that mentions manually entering an employee ID, and did not respond to our correction. We have confirmed that the interface used by TSOs still allows manual input of employee IDs."