Like a lot of people, former PM Tony Abbott can't resist posting his travel pics to Instagram. But posting an image of his boarding pass led to his passport number, airline seating instructions and even personal phone number being revealed.
Back in March, Tony Abbott posted images from his recent trip to Japan, including the boarding pass of his business class flight. The picture has since been removed, but that one image was enough to get the rest of the info.
The full story is worth reading & goes the steps taken by hacker Alex Hope (the vulnerability has since been fixed).
- Obtain booking reference from the boarding pass.
- Login to the Qantas Portal using the booking reference and (well-known) last name.
- View the HTML of the booking page, which reveals the Passport ID, seating instructions and contact phone number.
Mr. Hope claims to have done it as part of a dare, and not out of malice. He went to great lengths to contact authorities about the breach, emailing and calling various departments and representatives to try and let them know what had happened.
Until Tony Abbott called him back.
"Mostly, he wanted to check whether his understanding of how I’d found his passport number was correct (it was). He also wanted to ask me how to learn about “the IT”." said Alex
"He asked some intelligent questions, like “how much information is in a boarding pass, and what do people like me need to know to be safe?”, and “why can you get a passport number from a boarding pass, but not from a bus ticket?”."
Former PM Mr. Abbott seemed to take it all very well:
“It’s a funny old world, today I tried to log in to a [Microsoft] Teams meeting (Teams is one of those apps), and the fire brigade uses a Teams meeting. Anyway I got fairly bamboozled, and I can now log in to a Teams meeting in a way I couldn’t before"
"It’s, I suppose, a terrible confession of how people my age feel about this stuff.”"