Reverse Engineering Cathay Pacific’s Seat Selection Page

Note: I am not a security researcher, and I do not have any advance web security knowledge, etc.

Also, I did not alter any data on the Cathay Pacific’s website and I didn’t manage to use this method to change my seat. In addition, you can’t get any personal data using the method I mentioned in this article.

However, I was able to view all seat maps for all Cathay Pacific’s flight.

Also, this is not something new. You actually can do the same thing using this website: www.expertflyer.com.

Cathay Pacific, if you are reading this, please DM me on Twitter.

Storytime!

I love flying, and I absolutely love window seat (Yes, Boeing 787’s window is amazing! It’s super big and the window dimming is just like magic).

So here’s the story. I am flying Cathay Pacific to San Francisco in the upcoming week (Hooray!). Unfortunately, my ticket fare type is Class S (Economy Save), which is not eligible for advance seat request :(

I want a window seat!!!

Maybe I can check is there any window seats left? So I went to the Cathay Pacific’s website and entered my booking reference. Then I clicked on the “Select seat” button, and this is what I saw:

Nope nope nope nope nope.

All the seats are not available?

Bummer, it looks like website won’t show you the seat availability if you are not eligible for advance seat request. That’s sad for me. What should I do now?

Hello, Chrome DevTools

Well, what else I can do? Of course, I can just open the Chrome DevTools and find is there any hidden information.

So I clicked on the “Network” tab and search for the HTTP request for the seat map. Voila! This is what I found:

JSON result of the seat map
API URL for the seat map (Some personal data are hidden)

This is the part that makes everything interesting. What if I change the bookingClass from S (Economy Save, not eligible for seat request), to L (Economy Standard, eligible for seat request)?

So I open a new Chrome tab, edit the parameter, paste the URL, and hit enter!

No. Error. Message.

Voila!

It returns the full seat map. But this time, the JSON result is slightly different.

For the first time, I can see there are some seats which are still available.

I am now looking at the unformatted JSON result right now, which is ugly. I need a proper visual for this. So I open my code editor and paste the JSON result (I can’t do the HTTP request directly to the Cathay Pacific’s server due to CORS access restrictions).

With a little bit help of CSS and JavaScript, finally this is something I want to see:

Mission accomplished! You can check out the demo here: https://button-dew.glitch.me, (Source).

Extra: How secure is the API?

https://api.cathaypacific.com/mb-api/mbseat/v1/retrieve?departureDate=111118&originAirportCode=HKG&destinationAirportCode=SFO&marketingCompany=CX&flightNum=870&bookingClass=L&rloc=<BOOKING_REFERENCE>

For some reason, currency, familyName, givenName, passengerId, and passengerType are not required.

As long you have the rloc (Booking Reference Code) and the correct flight info, you will able to get the seat map. No family name and given name required!

Let’s do some quick math. Since the booking reference code is a combination of 6 digits letters and numbers, so the code combination for this is 2,176,782,336, and the total seats for the Boeing 777–300ER economy class are 268 seats.

Hence, the chance for you to guess the correct booking reference code is 0.000012311750034340594%.

I guess this is quite secure?

[Update: 2 Nov 2018] Well, I was wrong. This is NOT secure!

Nani? Business class?

Nope. This is not good at all.

As long you have the valid booking reference (rloc), you will able to get THE FULL SEAT MAP FOR ALL CATHAY PACIFIC FLIGHTS.

The screenshot above is the business class seat map from Hong Kong to Beijing (CX5900). And of course, I am not flying on that flight.

DO SOMETHING, CATHAY PACIFIC!

And this is what they told me …

Whether I get the window seat or not, I am flying to San Francisco to attend my very first Chrome Dev Summit in the upcoming week!

(If you are joining the event) See you in two weeks! Woot woot!

But no. I don’t want to see you, Karl. (That’s the Golden Gate Bridge hiding behind the thick fog). — May 2017

--

--

--

Google Developer Expert in Web Technologies | Front-end Web Developer | Making the web better with Preact, Polymer, Web Components, PWA & Firebase

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Transferring Route53 Domain & Hosted Zone between two AWS Accounts

Connecting Dialogflow with Chatfuel using Janis AI — Enpacto

Connect Dialogflow with chatfuel using janis

How To Customize The Experience For Joining Live Video Chat Apps

How to Share Reports From Your NextPlane Management Portal

Create An App Without Coding For Free

Unify your Windows/Mac setup through software for 💵 $0

Creating Collectables in Unity

Spinning up a BitClout node just got a hell of a lot more lucrative.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Henry Lim

Henry Lim

Google Developer Expert in Web Technologies | Front-end Web Developer | Making the web better with Preact, Polymer, Web Components, PWA & Firebase

More from Medium

Learned Java script for free!!!

Scrimba.com Screen shot

Control Structures in JavaScript

Deep Dive into Data structures using Javascript — Doubly Linked List

How to Get Unique Values from an Array in JavaScript?