A HOT POTATO: A security researcher has discovered serious vulnerabilities in Frontier Airlines' booking system. Using just two pieces of information printed on every boarding pass – a booking code and a last name – anyone can pull full passport numbers, home addresses, TSA PreCheck codes, and nearly complete credit card details from the airline's API. The vulnerabilities have been known for over three months.

Update (June 19): After publication, Frontier Airlines provided TechSpot with a statement saying it was "aware of potential IT vulnerabilities" and that the issues had been "addressed and resolved." The airline added that the security of its systems is a top priority and that it takes such matters very seriously. Frontier did not provide additional details about when the vulnerabilities were fixed or whether any customer data was accessed by unauthorized parties.

The original report follows below:

If you've ever flown Frontier Airlines and your boarding pass ended up in a photo, a trash can, or a social media post, your personal data may be accessible to anyone right now.

A security researcher going by BobDaHacker published a detailed disclosure this week revealing that Frontier's mobile API and booking management pages expose the full personal records of every passenger on a reservation to anyone armed with a booking code and a last name.