Former Australian Prime Minister Tony Abbott Hacked After Posting Boarding Pass on Instagram

Former Australian Prime Minister Tony Abbott had his phone number and passport details obtained by a hacker after posting a picture of his boarding pass on Instagram. From a report: Hacker Alex Hope said he uncovered Mr Abbott's details from his Qantas boarding pass in just 45 minutes. He then spent months attempting to contact Mr Abbott to alert him of the security breach. Qantas said it had now updated its cyber security protocols. Mr Abbott posted an image of a boarding pass for his flight from Sydney to Tokyo on 21 March on his Instagram account, thanking the crew. Mr Hope said he received a message from a friend daring him to hack the former prime minister as they had recently been discussing the dangers of posting your boarding pass online. The hacker explained in a blog post published on Wednesday that he was able to find Mr Abbott's information because his booking reference was printed on the boarding pass.

He was then able to log in to Mr Abbott's booking and search through HTML code to find his passport number and phone number. The code also included conversations with Qantas staff about Mr Abbott. "I had Tony Abbott's passport number, phone number and weird Qantas messages about him. I was the only one who knew I had these," Mr Hope said in a blog post. "Anyone who saw that Instagram post could also have them. I felt like I had to like, tell someone about this. Someone with like, responsibilities. Someone with an email signature." Mr Hope said he contacted the Australian Signals Directorate which handles cyber security. They thanked him for bringing the issue to their attention and said they would investigate.

Tony Abbott hacked?

[Mattcelt]

He was a robot all along! I knew it!

Piss off, you racist cunt.

[Mattcelt]

You're honestly worse than the spammers around here. And that's saying something.

Re:Tony Abbott hacked?

[MightyMartian]

The title should read "Former Prime Minister and lifelong idiot"

Re:Tony Abbott hacked?

[OzPeter]

The title should read "Former Prime Minister and lifelong idiot"

You're talking about Tony Abbot, so "lifelong idiot" is redundant.

Re:

[godel_56]

It couldn't have happened to a more deserving homophobic, right wing, climate change denialist.

Link to the hacker's actual blog

[virtig01]

More details than the BBC link:

https://mango.pdf.zone/finding-former-australian-prime-minister-tony-abbotts-passport-number-on-instagram [pdf.zone]

Re:

[Generic User Account]

Yeah, but if you submit that in the story, the submission is marked as spam. Ask me how I know.

Bad practice

[Carrier Lifetime]

Spitting out passport numbers in plain HTML is a really bad practice. Did they think that if it is not displayed nobody will see it? Or maybe it was outsourced to some cheap offshore IT shop and they didn't care since and nobody at Quantas did any audit of the code? Though an audit of the code could be as expensive as writing the code in the first place.

Re:

[DontBeAMoran]

Well, the summary says "He was then able to log in to Mr Abbott's booking and search through HTML code to find his passport number and phone number." so maybe it was hidden in an HTML comment? Security by obscurity for the win!

Re:

[Lonng_Time_Lurker]

You literally said the same thing, and added nothing. The italics may seem like you're pointing something out, but you are not.

Re:

[DontBeAMoran]

I added that even if the numbers were in the HTML code, it did not mean they were visible in plain view for everyone.

<!-- pedantic moron -->

Re:

[thegarbz]

Spitting out passport numbers in plain HTML is a really bad practice.

Yes it is. But there's multiple stupidities here. Even my sister who couldn't even figure out the thermostat in her house knows to obscure the details (especially barcode) when you post your boardingpass online

Re:

[ceoyoyo]

Posting your boarding pass online shouldn't be a security issue. It's a piece of paper that's supposed to remind you where you're sitting and when your flight leaves. Nothing more.

The booking reference in question is probably a four or five digit alphabetical code. It would be very simple to mine them. No personal information of note should be accessible that way.

Re:

[thegarbz]

It's a piece of paper that's supposed to remind you where you're sitting and when your flight leaves. Nothing more.

What? No. Don't be silly. It's a valid ticket that confirms not only your seat but needs to identify you, necessarily uniquely and individually, and the exact flight you are boarding. It is used for tracking not only people boarding flights, but the overall trip to destination, required to do so in order to manage issues such as flight delays and transfer problems.

Hell there are flights where your seat is completely irrelevant, and not even assigned to say nothing of the fact that people routinely change th

Re:

[Cederic]

How on earth did you think a boarding pass does the one thing that it in fact does not do?

For once I find myself agreeing with everything you've said, and then you end with this.

Which made me laugh.

Re:

[ceoyoyo]

Lol. No it's not. In fact, if you look on the back, many of them specifically state that they are *not* tickets.

You can print boarding passes using apps online. If you lose yours, they'll print you another one. Most airports have machines that will print you one, completely unsupervised.

A boarding pass is a reminder of your seat assignment, time of departure, etc. Oh, and it has a QR code on it that makes it convenient for the gate agent to bring up your ACTUAL ticket, which is electronic, and confirm that

Re:

[angel'o'sphere]

It's a piece of paper that's supposed to remind you where you're sitting and when your flight leaves.
No, it is a passport that lets you pass second and third security stage ... without it you can not board any plane, at least not in europe or asia..

Re:

[ceoyoyo]

No, it's not. There are apps that let you print them. If you don't have one when you go to board, they'll print you one, no problem. The only reason they ask for them at all is that the QR code is a convenient way for them to bring up your booking and confirm that it matches your actual passport or other official ID.

Re:

[angel'o'sphere]

Yes, it is, and has nothing to do with apps that print them, lol.

I get my boarding pass at the airport, not via an app. Might be different in the US, though.

Re:

[truedfx]

It appears that the full results of a web service were included in the HTML, not the passport number specifically. Where the problem was is not clear, it could be that that web service was supposed to only return the data the page was supposed to have access to, in which case including the full results was not inherently an error. It could even be that initially, the web service did return only the data the page was supposed to have access to, but it was then changed to return more. The result was obviously

Let's see

[cmdr_klarg]

For his sake I hope that they don't decide to shoot the messenger.

Re:Let's see

[edi_guy]

If you rtfa indeed, this one has a happy ending. Took a long time to fix, but the discoverer wasn't threatened with jail, just a "thanks for letting us know"

Next: Hacker Arrested for Hacking Former PM

[mswope]

Maybe they're truly appreciative of the fact that Mr. Hope flagged this vulnerability. Other countries' governments still tend to charge and/or incarcerate the messenger while denying that there was an open door to the information. Good luck, Mr. Hope!

Re:

[edi_guy]

If you rtfa indeed, this one has a happy ending. Took a long time, but the government was appreciative, the white hat 'hacker' waited patiently to reveal his story, and there was even a phone call with the ex-Prime Minister. Pretty much how these things should go, except for how long it took the government and airline to acknowledge the problem and fix it.

If nothing else...

[argStyopa]

...social media is useful for identifying complete morons in our political landscape.

I'm only 20% joking; the number of things our "leaders" do on social media that I would castigate a friend for as "are you a complete fucking moron?" are...well nearly countless.

Not the brightest kangaroo in the mob

[Ranger]

Abbott deserves what he gets. Even as a former PM, he should have been security aware.

spent months?

[gbjbaanb]

If he spent months trying to contact Mr Abbot to inform him of the security breach that revealed details including his phone number.

If only he had the guy's phone number, it would have been easy!

Stupid is as stupid does

[OneHundredAndTen]

Mr. Abbot has proved, time and again, that he is a rather stupid individual, and this is just another example of his stupidity. Maybe that's why the no. 10 buffoon has recruited him?

Re:

[blarkon]

As much as I dislike him, they don't tend to hand out the Rhodes to stupid people.