Tony Abbott, Australia’s former Prime Minister, found himself in quite an embarrassing situation recently. Following a Qantas flight from Tokyo to Sydney, the former PM posted a photo of his boarding pass, thanking the crew for the flight. Just 45 minutes later, a hacker managed to use the boarding pass to gain access to Mr. Abbott’s details, including passport and mobile number. So what exactly happened? And here’s why you should never post your boarding pass online!
What happened?
The story began in late March when the former PM posted a picture of his boarding pass on Instagram. He posted the photo (of his boarding pass and baggage receipt) to thank the crew of QF26 from Tokyo to Sydney on 21st March. The post has since been deleted, but not before an interested hacker got a look at it.
When you browse Instagram and find former Australian PM’s Tony Abbott’s passport https://t.co/9nuxzOVcN8 pic.twitter.com/T3Rw1javMe
— Winson Tang (@winsontang) September 16, 2020
In a blog post, Alex Hope, the man behind the hack, talked about how one of his friends sent him the Instagram post and challenged him to hack into the details. However, Mr. Hope quickly realized he didn’t need to do any “hacking”, the booking reference number was printed on the baggage receipt (blurred out in the above photo).
After heading to the Qantas website and entering the reference number and the former PM’s last name, lo and behold, he had access to the PM’s name, flight details, and frequent flier number. Quite clearly, this was quite a security breach, but one brought about by Mr. Abbott’s own mistake. However, Mr. Hope quickly found another flaw in Qantas’ website.
Security flaw
Until now, Alex Hope had managed to access only the former PM’s basic details. However, out of curiosity, the hacker decided to go into the web page code of the Qantas ‘Manage Booking’ website. With the ‘Inspect Element’ feature on Google Chrome (which shows the background HTML code), Mr. Hope did a search for the word passport out of curiosity.
However, Mr. Hope did not just find the former Prime Minister’s passport number and mobile number. He also found communications between Qantas staff about the booking. This included notes such as “please seat in the last row window” and “requesting fast track for Mr. Abbott.”
To sum up, the photo of Tony Abbott’s boarding pass allowed Alex Hope to access his: flight details, frequent flier number, passport number, mobile number, and staff comments about the booking. This had to be fixed quickly, at least reducing the number of details available to anyone with your reference number and name.
No ill intentions
Soon after realizing what he had managed to access, Mr. Hope did the right thing and reported the issue to Tony Abbott’s office and the Australian Cyber Crime division. He also reached out to Qantas’ security team, who forwarded the complaint to their booking software partners.
After a nearly five months of following up, Qantas finally confirmed that they fixed the issues. However, Mr. Hope says he had one more surprise call, this time talking to the former Prime Minister himself, to whom he explained how much sensitive information a boarding pass contains.
The takeaway from this story is simple: don’t post your entire boarding pass, no matter how exciting the trip! Even if you do decide to post a picture, be sure to remove the barcode, reference number, and any personal details you don’t want the internet to know.
Mr. Abbott has since requested a new passport and may have changed his phone number (despite the hacker never actually calling it). I would also highly recommend reading Mr. Hope’s detailed account of the entire incident which is quite humorous and informative.
What do you think of this whole incident? Let us know in the comments below!
