Ian Carroll writing on his blog:

The KCM [Known Crew Member] process is fairly simple: the employee uses the dedicated lane and presents their KCM barcode or provides the TSA agent their employee number and airline. Various forms of ID need to be presented while the TSA agent’s laptop verifies the employment status with the airline. If successful, the employee can access the sterile area without any screening at all.

At this point, we realized we had discovered a very serious problem. Anyone with basic knowledge of SQL injection could login to this site and add anyone they wanted to KCM…allowing themselves to both skip security screening and then access the cockpits of commercial airliners.

Not great! (Emphasis above is mine.)

The unfortunate part of the story is that DHS stopped responding to them making it impossible for these researches to responsibly disclose the issue. It’s a big issue! Be open, acknowledge it, fix it, then disclose it. Don’t ignore the researchers bringing it to you and have your press office downplay the significance of it. Thankfully, DHS did fix the problem.

This is what security in the modern world looks like. Lots of holes yet to be discovered. Good to remember the next time you’re taking off your shoes and your belt at the airport.