An Australian hacker today claimed he obtained the passport details and phone number of former Prime Minister Tony Abbott using nothing more than an old Instagram post and the Qantas website.
Alex Hope, aka Mangopdf, says he gained access to those highly sensitive details thanks to an uncensored photo of a Qantas boarding pass posted to Abbott’s Instagram.
Hope said he was able to enter a clearly-visible booking reference and Abbott’s last name into the Qantas website, allowing him to, you know, log in as former Prime Minister Tony Abbott.
— “Alex” (@mangopdf) September 16, 2020
Abbott’s flight had been and gone by the time Hope gained access to the Qantas website. Nevertheless, he said he deployed ‘Inspect Element’ – the oldest trick in the book! – to have a peek at the site’s HTML code.
He claims Abbott’s passport number and personal phone number were right there, just under the surface of the website.
“At this point I was fairly sure I was looking at the extremely secret government-issued ID of the 28th Prime Minister of the Commonwealth of Australia, servant to her Majesty Queen Elizabeth II and I was kinda worried that I was somehow doing something wrong,” Hope said.
“But like, not enough to stop.”
It should be said here that you can do a lot of shady, identity-thieving things with someone’s passport details and phone number, let alone the details of a former PM.
After determining that merely finding or possessing Abbott’s details probably didn’t constitute a crime, Hope said he gingerly contacted Qantas, who claim to have sorted out that particular website vulnerability.
Hope said he eventually touched base with Abbott himself, who was appreciative, if a bit bemused.
“When I’d collected myself from various corners of the room, he asked if there was a book about the basics of IT, since he wanted to learn about it,” Hope said.
“That was kinda humanising, since it made me realise that even famous people are just people too.”
Speaking to Gizmodo Australia about the issue, Hope said the takeaway was “boarding passes are secret, like passwords, so don’t post them.”
Lessons to be learned: don’t share uncensored boarding pass photos, treat your booking references like passwords, and use your powers of technological wizardry very wisely.
You can, and should, read Mangopdf’s full blog post right here.Image: PeopleImages / Pool / Getty Images / @mango.pdf.zone