The TSA’s “No-Fly” list is an extremely important document in the US. In fact, it lists people who are not allowed on airplanes. This is because they are considered a risk to national security. You would think that such a document would be subject to tight security. As the TSA No Fly List leak showed us, it turns out that that’s not the case.
The TSA No Fly List Blog Post
On the 19th of January, maia arson crimew made a blog post titled “how to completely own an airline in 3 easy steps“. In it, they described how they were able to access the contents of the server of the US based regional airline “CommuteAir”.
Maia arson crimew is the developper behind Lawnchair Launcher, a very popular launcher app for Android, which they made as a teenager.
In the video below, Youtuber SomeOrdinaryGamer breaks down the leak and everything you need to know.
In short, the hacker was able to access an unsecure server containing CommuteAir files. On it, maia was able to find several documents:
three csv files, employee_information.csv, NOFLY.CSV and SELECTEE.CSV. all commited to the repository in july 2022. the nofly csv is almost 80mb in size and contains over 1.56 million rows of data. this HAS to be the real deal (we later get confirmation that it is indeed a copy of the nofly list from 2019).
The NOFLY.CSV document was just that, a “No Fly” list dating back to 2019. Since then maia has given the file to the DDoS Secrets nonprofit, who is making it available to journalists and researchers. For the purpose of this article, I requested access to this data.