スピリット航空の破綻：アクティブなAzureエンドポイント、未修正の予約フロー、そして安価なドメイン

As Spirit Airlines officially ceased operations on May 2, 2026, a multi-billion-dollar corporate infrastructure was abandoned in real-time. I discovered their exposed booking flow that still processes transactions, a live Azure API still issuing valid flight records, and a primary phishing domain, spiritrefunds.com, available for the default registration price of $11.48. This is my deep dive into the chaos of Spirit Airlines’ zombie infrastructure.To anyone affected by the canceled Spirit Airlines flights: Please visit www.spiritrestructuring.com/guests for the latest information about the bankruptcy case.Hi, my name is Brayden Hustead. I’m a Computer Science student and, on occasion, I dive deep into interesting tech topics. As I haven’t seen anyone else cover this, I thought sharing my discoveries would be valuable.Spirit Airlines’ approach to facilitating its “orderly wind-down of our operations, effective immediately” on its web infrastructure was to apply a root path redirect at spirit.com/ to the bankruptcy information website and call it a day.Not only does the booking flow still work by using internal page links to reach the “BOOK” form, but the Navitaire API is also still active on Azure, allowing payments to continue being processed. Payments for services that cannot be provided to an entity that is no longer a functioning business.Further demonstrating this panicked approach, very predictable phishing domains such as spiritliquidation.com, spiritrefunds.com, and spiritrefund.com were left exposed and available on any consumer registrar for malicious use.I registered these 3 domains and redirected them to the official liquidation page to help combat the likely mass scams resulting from the promised flight refunds. Using statistics from my redirect on spiritliquidation.com, I found 43 visits that appear to be likely human traffic. As this domain was not published anywhere, these are real people in real despair about their canceled flights, searching for any available information.Legal notice: Spirit Airlines’ designated bankruptcy contacts have already been informed, and I am prepared to transfer ownership to the appropriate person.On May 2, 2026, Spirit Airlines announced an immediate “orderly wind-down” of operations. During this transition, their technical infrastructure was obviously duct-taped together to handle the world's panic.I learned about this story this morning when my mom informed me. As my sister was among those affected by the canceled flights, I took a keen interest in how an entity of that size would be dissolved. As a Computer Science major and Cybersecurity minor, I immediately experimented with the spirit.com and spiritrestructuring.com websites.I would like to add, for the record, that as of the initial publication of this post, my sister has not received a single email from Spirit. No cancellation email, no announcement to account holders, nothing leading up to or after the announcement. Other than third-party news outlets, the only indicator of her flight’s cancellation was a lazy pop-up in the mobile app that never directly stated Spirit Airlines is being liquidated.Originally, I suspected Spirit would use the flight database to assist with flight cancellation emails; however, my discoveries in this post very likely explain the lack of emails: the flights were never canceled in the database. In fact, the flights are still bookable?Transparency Notice: My research was assisted by Google Gemini 3 Fast. All presented information, including research into Spirit’s processes, was fact-checked authentically.I discovered that their “Refund Status” link points directly back to their existing Spirit account system. Using this connection back to the original website, I discovered that the root directory www.spirit.com/ is still accessible by clicking “BOOK” in the header, but clicking the Spirit logo or browsing to spirit.com directly redirects to the “restructuring” website. Evidently, Spirit’s IT teams pushed a redirect at the CDN edge for the root path, but, as they had very little time (or pay, given the bankruptcy's status) to do cleanup work, the internal links within the spirit.com route were left unmodified. Further, from the Spirit homepage, I was able to search for a flight and view the latest availability and pricing status from their database’s most recent cache. This is where it gets interesting.(For the record, this is an entirely abstract flight plan. I made it up.)I’ll be honest, this is where I thought my site manipulation would end. In my initial testing, I misread some of my results. After a second attempt, I made an insane discovery. By simply scrolling for flight dates, I was given an option to proceed!Spirit is offering me a flight!After continuing screen by screen, I grew more and more mindblown. I was shown available seats to select for each flight, presented a personal information form, and brought to the payment screen.(For the record, this is entirely fictional personal information.)I don’t think I need to explain how insane this is. Spirit is still collecting Personally Identifiable Information from users. I couldn’t resist. I had to try it. I generated a fake card number that passed the form’s built-in validation, and pressed “ACCEPT AND BOOK”. After declining travel insurance, there it was. My transaction was declined.Look, I’m not going to try a real card for obvious reasons. However, receiving a “transaction declined” message directly in the API response header allows me to reach a reasonable conclusion: Spirit Airlines, an airline actively being liquidated, left its payment processor open.The API generated and responded with a REAL recordLocator (PNR, censored just in case), and a REAL “nk:Payment:PaymentAuthorizationDeclined” response. If Spirit had deactivated the payment processor, Navitaire (Spirit’s PSS) would’ve likely responded with an error like “nk:Payment:ProviderUnavailable,” “nk:Payment:ConfigurationError,” or a generic 503 Service Unavailable.Further, the ActivityID of 2026-40-02 T 18:40:33 appears to be a timestamp directly attributed to the credit card network attempt and should not be present in a deactivated system.This booking API request also revealed some other information. For one, a cookie with *.booking-eus-prod.azurewebsites.net, an active Azure endpoint. This endpoint, being present in the booking flow, is almost certainly Spirit’s Navitaire New Skies endpoint hosted on Microsoft Azure. Being able to receive a cookie from this endpoint, along with the attempted transaction, clearly shows that Spirit Airlines’ backend systems are still running in full behind their root path redirect. Not only does this pose a risk of PII being stolen, as there are presumably no longer IT staff monitoring the resources’ security, but it also validates that the backend is still communicating with external endpoints (like the payment gateway).This is an endpoint that, until 48 hours ago, was, based on revenue reports, processing ~$13–$15 million in transactions every single day, and it now remains active in the shadows without proper monitoring. Not to mention, as long as these cloud-hosted endpoints are running, Spirit is still accumulating a cloud compute bill.The presence of detailed Server-Timing headers (Dynatrace metrics) also indicates that the airline's full telemetry stack remains operational on top of Navitaire, showing further that seemingly nothing was fully deactivated on the backend. The backend is continuing to perform deep packet inspection and performance logging for transactions it should not be processing.An unrelated but interesting point I discovered is, while most major enterprise infrastructure is running on the enterprise-grade MarkMonitor registrar, spirit.com, a massive airline website powering the company’s ~$4.91 billion revenue (as of 2024-2025), is still using GoDaddy as its registrar. This is likely a result of how tight their margins have always been, and thus, if it ain’t broke, don’t fix it. GoDaddy, a registrar commonly used for independent projects and startups, has been the core component behind all of Spirit’s operations.Anyways, back to the chaos. Along with Spirit’s still-exposed extremely sensitive endpoints, they also failed to register domains very closely resembling spiritrestructuring.com. Considering the pure number of panicked, non-tech-savvy individuals frantically looking for what in the world happened, I am almost certain that there have already been Spirit flight refund scams. In the age of the internet, a legitimate, clean domain is the ultimate tool for malicious actors to trick everyday people, so leaving extremely legitimate domain mistakes is effectively encouraging scams to occur.Now, Epiq11 (the legal firm managing their liquidation) isn’t seemingly responsible for cybersecurity, but Spirit’s liquidation effectively froze their funding to register even a single domain. As to who can be blamed for this, it’s a mix of both and neither.To my horror, I discovered spiritliquidation.com, spiritrefunds.com, and spiritrefund.com were available for Namecheap’s default price of $11.48. Recognizing that leaving these ‘high-intent’ domains exposed during a bankruptcy peak posed a massive phishing risk, I registered all three to prevent malicious actors from hijacking them and to guide stressed Spirit customers to the correct domain.My initial deployment used Short.io to provide immediate impact measurement, confirming within minutes that users were hitting the domain. However, after viewing the analytics page, I determined that Short.io’s mandatory logging policies on the free plan captured more visitor data than I was comfortable maintaining in a defensive research context. To ensure I do not obtain more visitor data than I should, and to ensure I can guide passengers without compromising their privacy, I have since migrated the domains to Cloudflare Redirect Rules, ensuring a zero-log, privacy-first redirection.However, in the ~280 minutes that spiritliquidation.com was active on Short.io, I received valuable insights into the impact of the registration. Of the 92 redirects performed, 54 visits, seemingly all direct based on the unknown referrer statistic, were considered human by Short.io. Excluding Linux clients, as they are likely crawling bots, leaves 43 visits. The wide variety of browsers, as well as the high number of visits from iOS and Mac OS X, further suggest that this domain rerouted real people to the official domain in just ~4 hours of being accessible.Initial triage telemetry confirmed immediate human traffic from a diverse range of mobile and desktop devices, proving the high-intent nature of these abandoned URLs.To wrap up this massive technical deep dive, I would like to clarify one more thing. I am currently holding spiritliquidation.com, spiritrefunds.com, and spiritrefund.com in a defensive registration to protect the public. I have already passed this information along to Spirit Airlines’ designated bankruptcy contacts and am more than happy to transfer the domains to the appropriate person. My goal is to ensure these domains are not used to facilitate phishing attacks.Thank you for reading my very unexpected deep dive into a topic I never knew would intrigue me so much. To be fair, I don’t think anyone expected the collapse of Spirit to happen this abruptly, so it leads to a very interesting topic.With nerdy appreciation,Brayden [email protected]

※ 著作権に配慮し、引用は冒頭3段落までです。続きは元記事をご覧ください。