You’re about to board a flight back home so you take a picture of your boarding pass and put it on social media. What could go wrong?
That’s what former Prime Minister Tony Abbott thought earlier this year when he posted a photo of his Qantas boarding pass to Instagram.
“A big thank you to all the team on QF26 from Tokyo,” Abbott said in his post. “Hope to see you flying again soon!”
Little did Abbott know his seemingly harmless post put him in the sights of a hacker who goes by the name "Alex" after their friend shared the former PM’s post in a group chat, asking nonchalantly: can you hack this man?
What follows is chronicled in a blog post by Alex who details his journey from finding Tony Abbott’s phone number and password in Qantas’ booking system through to disclosing the breach to Qantas, the Australian Signals Directorate (ASD), and Tony Abbott himself.
The ‘hack’ itself was simple. Alex took the booking number from Abbott’s Instagram post and used it to login to Qantas’ booking system.
“Why do you want the booking reference? It’s one of the two things you need to log in to the airline website to manage your flight,” Alex said.
“The second one is your… last name.
“I was really hoping the second one would be like a password or something. But, no, it’s the booking reference the airline emails you and prints on your boarding pass.”
Once logged in, Alex poked around in the page’s HTML and discovered that, while the visible site did not show all of Tony Abbott’s customer information – such as his passport details – that had all still been posted to his machine.
“At this point I was fairly sure I was looking at the extremely secret government-issued ID of the 28th Prime Minister of the Commonwealth of Australia, servant to her Majesty Queen Elizabeth II and I was [kind of] worried that I was somehow doing something wrong,” Alex said.
"So you know when you’re flopping about at home, minding your own business, drinking from your water bottle in a way that does not possess any intent to subvert the Commonwealth of Australia?"https://t.co/OCvJKODTTZ— “Alex” (@mangopdf) September 16, 2020
He then began the responsible disclosure process.
First, Alex exchanged emails with the ASD while still unsure whether or not his disclosure also counted a confession.
“Feeling like the digital equivalent of three kids in a trenchcoat, I broke out my best Government Email dialect and emailed ASD, asking for them to call me if they were the right place to tell about this,” Alex said.
“Fooled by my flawless disguise, they replied instantly (in a relative sense) asking for more details. I absolutely could provide them with more information, so I did, because I love to cooperate with the Australian government.”
With ASD investigating the matter, Alex reached out to Qantas so it could fix the bug that allowed him to get access to Tony Abbott’s passport number.
Five months later, Qantas got back to him to say the vulnerability had been fixed and he was free to publicly share the bug.
The company also said its “standard advice to customers is not to post pictures of the boarding pass, or to at least obscure the key personal information if they do, because of the detail it contains”.
Before posting, Alex tracked down Tony Abbott through official channels – not via an ill-gotten phone number – for permission to share his story.
“Back at the beginning, I was [kind of] worried that he might misunderstand, and think I was trying to hack him or something, and that I’d be instantly slam dunked into jail,” Alex said.
“But nope, he was fine with it.”