[didgetmaster]

The lack of needing the last name might have allowed a hacker to brute force the whole list; but it seems that even with a last name, it could expose a lot of PII. Just pass codes along with popular last names (Smith, Jones, Nelson, etc.) and it seems like it could spit out a bunch of reservations.

[miki123211]

I'd go for wang, Li and Zhang instead, maybe also Patel and Nguyen. Asian countries have a much more skewed surname distribution.

[morpheuskafka]

Yes, it's also an issue when someone posts their bag tag/boarding pass/booking email online.

But that's the "industry standard" for checking a reservation online. Requiring airline login doesn't work because of tickets issued by travel agents or other airlines.

[codethief]

Exactly, I came here to say this!

> This two-factor system is generally secure. The space of all 6-character alphanumeric confirmation codes combined with all possible last names is astronomically large, making it impossible to “guess” a valid pair.

Depending on the threat model, the attacker's goal might not be to guess a single pair but to access any valid pair (of a booking with a flight date in the future, or maybe even in the past). Suddenly you're looking at thousands of valid booking codes and the attacker can try a couple dozen of common names. Brute-forcing valid pairs then becomes relatively easy.