iTnews
  • Home
  • News
  • Technology
  • Security

Researcher finds Tony Abbott's passport number in ticketing engine code

By Juha Saarinen on Sep 16, 2020 4:27PM
Researcher finds Tony Abbott's passport number in ticketing engine code

Amadeus takes five months to fix info leak.

Tony Abbott was given a lesson in information security by a curious security researcher who was able to discern his passport number and other sensitive information after the former prime minister of Australia posted a picture of his boarding pass on Instagram.

Organiser of the PurpleCon security conference Alex Hope was given a heads-up by a friend in March this year about photos of Abbott's Qantas boarding pass for a return flight from Tokyo.

Hope was aware that posting pictures of boarding passes is a security hazard, but noted that many people are not aware of it.

"Meanwhile, some hacker is rubbing their hands together, being all 'yumyum identity fraud' in their dark web Discord, because this happens a lot," Hope wrote in a widely-shared blog post on Wednesday.

On Instagram alone, over 122,000 pictures can be found under the #boardingpass hashtag.

From the boarding pass, Hope was able to find the booking reference.

Knowing Abbott's last name, he logged into Qantas website where he could get more details such as the former PM's flight times and frequent flyer number.

On inspecting the web page source code Hope discovered that the site also revealed Abbott's passport number and expiry date, date of birth, and phone number. 

Qantas staff comments were also in the passenger information on the website.

Realising that he had stumbled upon a potentially serious leak of sensitive information that could be abused for identity theft, Hope reported it to the Australian Cyber Security Centre.

He also reported the issue to Qantas, which in turn contacted its ticking system vendor Amadeus.

Speaking to iTnews, Hope said he did not report the bug directly to Amadeus.

"I didn't even know it had anything to do with Amadeus until Qantas told me," Hope said.

After five months, Qantas told Hope that the problem had been fixed by Amadeus but no details of how it was done were provided to the security researcher.

Hope was able to publish a detailed blog post however, covering the six months it took him to responsibly disclose the information leakage vulnerability.

Another Amadeus information leakage bug was found last year by hacker Noam Rotem, affecting 141 international airlines around the world.

Rotem discovered that with captured and guessed passenger name records, it was possible to change flights, claim frequent flyer miles, assign seats and amend flier details.

Hope was concerned that in documenting and reporting the security issue, he might get into legal trouble.

However, his efforts were welcomed by all parties, including Abbott who opted to receive a crash course in information security from Hope.

Amadeus has been contacted for comment.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
alex hopeamadeusqantassecuritytony abbott

Partner Content

The Great Resignation has intensified insider security threats
Promoted Content The Great Resignation has intensified insider security threats
Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Promoted Content Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Avoiding CAPEX by making on-premise IT more cloud-like
Promoted Content Avoiding CAPEX by making on-premise IT more cloud-like
Security "mindset shift" needed to protect organisations
Promoted Content Security "mindset shift" needed to protect organisations

Sponsored Whitepapers

Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership

Events

  • Micro Focus Information Management & Governance (IM&G) Forum 2022
  • CRN Channel Meets: CyberSecurity Live Event
  • IoT Insights: Secure By Design for manufacturing
  • Cyber Security for Government Summit
By Juha Saarinen
Sep 16 2020
4:27PM
0 Comments

Related Articles

  • Jetstar's CISO departs
  • Collins Foods puts IT focus on security controls, cloud services
  • OpenSSL subject to remote memory corruption
  • Origin Energy goes public with bug bounty program
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Qantas calls time on IBM, Fujitsu in tech modernisation

Qantas calls time on IBM, Fujitsu in tech modernisation

Service NSW hits digital services goal two years early

Service NSW hits digital services goal two years early

NBN Co taking orders for 'non-premises' connections

NBN Co taking orders for 'non-premises' connections

NSW Police scores $100m to connect body-cams to firearms, tasers

NSW Police scores $100m to connect body-cams to firearms, tasers

Digital Nation

COVER STORY: Operationalising net zero through the power of IoT
COVER STORY: Operationalising net zero through the power of IoT
The security threat of quantum computing
The security threat of quantum computing
Crypto experts optimistic about future of Bitcoin: Block
Crypto experts optimistic about future of Bitcoin: Block
Integrity, ethics and board decisions in the digital age
Integrity, ethics and board decisions in the digital age
IBM global chief data officer on the rise of the number crunchers
IBM global chief data officer on the rise of the number crunchers
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.