More from the article...

... In late August, researchers Ian Carroll and Sam Curry disclosed the details of an SQL injection vulnerability that could allegedly allow threat actors to bypass certain airport security systems.

The security hole was discovered in FlyCASS, a third-party service for airlines participating in the Cockpit Access Security System (CASS) and Known Crewmember (KCM) programs.

KCM is a program that enables Transportation Security Administration (TSA) security officers to verify the identity and employment status of crewmembers, allowing pilots and flight attendants to bypass security screening. CASS allows airline gate agents to quickly determine whether a pilot is authorized for an aircraft's cockpit jumpseat, which is an extra seat in the cockpit that can be used by pilots who are commuting or traveling. FlyCASS is a web-based CASS and KCM application for smaller airlines.

Carroll and Curry discovered an SQL injection vulnerability in FlyCASS that gave them administrator access to the account of a participating airline.

According to the researchers, with this access, they were able to manage the list of pilots and flight attendants associated with the targeted airline. They added a new employee' to the database to verify their findings. ...