The Prime Minister in the discussion is Tony Abbott whose Instagram post with his boarding pass allowed a hacker to dig deep into a much bigger issue within the Qantas website.
When traveling, some people have the urge to share their journey with the entire world, especially on social media. This article shows how your urge to show off can expose your personal information to the masses.
Former Australian Prime Minister Tony Abbott did the same back on March 22nd, 2020 by uploading a picture of his boarding pass on Instagram for his return flight from Tokyo to Sydney. However, he didn’t know of the downside of doing so which was later revealed and reported by security researcher Alex Hope in their report titled:
“When you browse Instagram and find former Australian Prime Minister Tony Abbott’s passport number.”
Analyzing the boarding pass, Alex came across various identification points including his carrier, the flight number, baggage details, etc. Yet, the main 2 factors that got the job done was the “Booking Reference” and the passenger’s last name.
Using these, Alex went on to Qantas airline’s website and was able to access both the “Manage Booking” and “Check-in” section which required exactly these 2 details for someone to edit their flight information or make other changes.
While this may seem to be the end of the road, it wasn’t. Moving on, the researcher tried using the “Inspect Element” tool which is available by default in browsers and allows you to access the source code of any specific part of the website.
The result was shocking, to say the least. The passport number of a former prime minister was out in the open for anyone to see:
Furthermore, a conversation amongst the airline’s employees was also discernable along with the format PM’s personal phone number.
Realizing how dangerous this information could be in the wrong hands, Alex contacted Qantas Airlines on March 30 through email to which they responded with having forwarded the vulnerability details to the concerned department.
Finally, 5 months later in August, the airline let him know that the issue had been fixed. On the other hand, to publish the blog post in itself, he personally took permission from the premier through a long and arduous journey – details of which you can read up in his official post.
To conclude, this incident is a good reminder to every flier out there to NOT post their boarding passes online. Even if Qantas fixed the issue, some other airlines may have this or perhaps a vulnerability far worse which attackers could exploit fairly easily as seen above.
Moreover, all airlines should learn from this incident and test their security measures because, after all, a cure is better than prevention(the other way around – I know).