You might not think it, but Tony Abbott is not that different to you or I. Like many of us, the former prime minister loves to use ‘social media’ to ‘post’ about his ‘life’. But one of his most recent posts may have revealed more than he intended.
On Wednesday, Australian hacker Alex Hope published a blog post claiming that he was able to figure out Abbott’s passport number and phone number all from an Instagram post he’d made earlier this year.
The post? A picture of Abbott’s Qantas boarding pass with a caption thanking his flight crew.
How did an Instagram post of a board pass reveal Tony Abbott’s personal details?
Hope said that one afternoon earlier this year, a friend posted Abbott’s post in a group chat with a request: “can you hack this man?”
After a bit of investigation, Hope said he used booking reference number from an old-fashioned boarding pass and Mr Abbott’s name to access Qantas’ ‘Manage Booking’ page. The page include his name, when the flight was and his frequent flyer number.
But here’s where it gets spicy. Hope claims that by inspecting the page’s HTML code (which you can easily access in any web browser), he was able to read Abbott’s passport number, his phone number and staff comments about his specific requests for seats and a fast track.
— “Alex” (@mangopdf) September 16, 2020
Hope goes on to chronicle his efforts to contact Abbott, Qantas and the Government to tell them what he found.
A Qantas spokesperson confirmed Hope’s account to Gizmodo and thanked him for disclosing the exploit.
“Our standard advice to customers is not to post pictures of the boarding pass, or to at least obscure the key personal information if they do, because of the detail it contains,” they said.
“We appreciate ‘Alex’ bringing this to our attention in such a responsible way, so we could fix the issue, which we did several months ago.”
Abbott did not immediately respond to request for comment.
Lessons from Abbott’s boarding pass Instagram post
Hope told Gizmodo that while the story focuses on Abbott, he hopes that people will recognise the need to be careful about what they post online
“The PSA is ‘boarding passes are secret, like passwords, so don’t post them’,” he said.
He was also surprised by how hard it was to actually report the exploit so it could get fixed.
“Reporting the exposed passport number to the government was easy, in a relative sense,” Hope said. “But yeah, Qantas was having big #struggles then, they still are, so it was hard to find the right person to talk to.”
Qantas claims it’s fixed the bug but Hope has no way of knowing for sure. But he also hopes that his explanation will encourage more people to seek out vulnerabilities like this.
“Hacking is so mysterious sounding (not that this post contains anything resembling highly advanced hacking), so i also want people to feel like they can do it too,” he said.
Updated to include a response from Qantas.