Australian “hacker” Alex Hope was able to obtain former Prime Minister Tony Abbott’s phone and passport number after Mr Abbott uploaded a post of his boarding pass on Instagram. He told The Feed the whole process took him less than an hour.
Alex said it all started after a friend in his group chat posted the image from Mr Abbott’s Instagram account and dared him: “can you hack this man?”.
The self-described “hacker” said he took up the challenge and used the details from the image on Mr Abbott’s Instagram to log into Qantas’ booking page.
Alex said he was able to read the HTML code and find Mr Abbott’s phone number and passport number.
“The whole thing took maybe 45 minutes? Half an hour if you leave out me trying to scan the barcode for 15 minutes, failing to notice the booking reference was just printed on the boarding pass,” Alex told The Feed.
“When I first saw the passport number, I thought 'oh no. It's just...there',” he added.
In a blog post, Alex discusses his six-month attempt to alert Mr Abbott and Qantas of the security breach.
“I had Tony Abbott’s passport number, phone number, and weird Qantas messages about him. I was the only one who knew I had these,” he wrote.
“Anyone who saw that Instagram post could also have them. I felt like I had to like, tell someone about this. Someone with like, responsibilities. Someone with an email signature,” he added.
After months of trying to get a hold of the former Prime Minister, Alex said he tracked down Mr Abbott’s personal assistant. He claims Mr Abbott’s personal assistant told him he was already in the process of getting his boss a new passport number.
He said it wasn’t long after that phone call that Mr Abbott himself gave Alex a call.
“Mostly, he wanted to check whether his understanding of how I’d found his passport number was correct (it was). He also wanted to ask me how to learn about ‘the IT’,” Alex said.
“When I’d collected myself from various corners of the room, he asked if there was a book about the basics of IT since he wanted to learn about it. That was kinda humanising since it made me realise that even famous people are just people too,” he added.
A spokesperson for Mr Abbott told The Feed: “Mr Hope brought this issue to the attention of relevant bodies earlier this year, and it has since been resolved”.
Alex also claims that after informing Qantas in March, the airline company told him they fixed the bug in July.
In a written statement to The Feed, a Qantas spokesperson confirmed Alex’s story and thanked him “for bringing this to our attention in such a responsible way, so we could fix the issue, which we did several months ago.”
“Our standard advice to customers is not to post pictures of the boarding pass, or to at least obscure the key personal information if they do, because of the detail it contains,” the spokesperson continued.
Alex said that if someone has your passport number they can book “an international flight as you, apply for anything that requires proof of identity documentation with the government, activate a SIM card and create a fake physical passport from a template, with the correct passport number (which they then use to cross a border, open a bank account, or anything)”.
“The point of this story isn’t to say ‘wow Tony Abbott got hacked, what a dummy’. The point is that if someone famous can unknowingly post their boarding pass, anyone can.”