Tony Abbott was given a lesson in information security by a curious security researcher who was able to discern his passport number and other sensitive information after the former prime minister of Australia posted a picture of his boarding pass on Instagram.
Organiser of the PurpleCon security conference Alex Hope was given a heads-up by a friend in March this year about photos of Abbott's Qantas boarding pass for a return flight from Tokyo.
Hope was aware that posting pictures of boarding passes is a security hazard, but noted that many people are not aware of it.
"Meanwhile, some hacker is rubbing their hands together, being all 'yumyum identity fraud' in their dark web Discord, because this happens a lot," Hope wrote in a widely-shared blog post on Wednesday.
On Instagram alone, over 122,000 pictures can be found under the #boardingpass hashtag.
From the boarding pass, Hope was able to find the booking reference.
Knowing Abbott's last name, he logged into Qantas website where he could get more details such as the former PM's flight times and frequent flyer number.
On inspecting the web page source code Hope discovered that the site also revealed Abbott's passport number and expiry date, date of birth, and phone number.
Qantas staff comments were also in the passenger information on the website.
Realising that he had stumbled upon a potentially serious leak of sensitive information that could be abused for identity theft, Hope reported it to the Australian Cyber Security Centre.
He also reported the issue to Qantas, which in turn contacted its ticking system vendor Amadeus.
Speaking to iTnews, Hope said he did not report the bug directly to Amadeus.
"I didn't even know it had anything to do with Amadeus until Qantas told me," Hope said.
After five months, Qantas told Hope that the problem had been fixed by Amadeus but no details of how it was done were provided to the security researcher.
Hope was able to publish a detailed blog post however, covering the six months it took him to responsibly disclose the information leakage vulnerability.
Another Amadeus information leakage bug was found last year by hacker Noam Rotem, affecting 141 international airlines around the world.
Rotem discovered that with captured and guessed passenger name records, it was possible to change flights, claim frequent flyer miles, assign seats and amend flier details.
Hope was concerned that in documenting and reporting the security issue, he might get into legal trouble.
However, his efforts were welcomed by all parties, including Abbott who opted to receive a crash course in information security from Hope.
Amadeus has been contacted for comment.
