Tony Abbott is not the only Aussie to share a screen grab of his boarding pass onto Instagram, however it has been revealed that it took hackers only 45 minutes to get private information about the former Prime Minister purely due to one simple mistake.
Australian tech expert Alex Hope said he was able to retrieve Mr Abbott’s phone number and passport details from the Instagram post in March.
“A big thank you to all the team on QF26 from Tokyo. Hope to see you flying again soon!,” Mr Abbott captioned the photo, which has since been deleted. Pity.
Mr Hope said he took on the challenge to hack the former PM after he was dared by a friend in his group chat that asked: “Can you hack this man?”.
The “hacker” says finding the information was easy as he simply took the details from the image on Mr Abbott’s Instagram to log into Qantas’ booking page.
He was able to read the HTML code and find Mr Abbott’s phone number and passport number within minutes.
In a blog post, the self-described “hacker” noted that he had tried for six months to alert Mr Abbott to what had happened.
“I had Tony Abbott’s passport number, phone number, and weird Qantas messages about him. I was the only one who knew I had these,” he wrote.
“Anyone who saw that Instagram post could also have them. I felt like I had to like, tell someone about this. Someone with like, responsibilities. Someone with an email signature,” he added.
Mr Hope said he tracked Mr Abbott’s personal assistant down after many months of trying.
He then had a quick chat with Mr Abbott one-on-one.
“Mostly, he wanted to check whether his understanding of how I’d found his passport number was correct (it was). He also wanted to ask me how to learn about ‘the IT’,” he said.
“He asked some intelligent questions, like ‘how much information is in a boarding pass, and what do people like me need to know to be safe?’, and ‘why can you get a passport number from a boarding pass, but not from a bus ticket?’.
“The answer is that boarding passes have your password printed on them, and bus tickets don’t. You can use that password to log in to a website (widely regarded as a bad move), and at that point all bets are off, websites can just do whatever they want.”
Mr Hope says Qantas fixed the bug that allowed him to retrieve Abbott’s private details was fixed in July thanks to his warnings.
He says that he hopes this incident will make people think twice about what they post to social media.
“The point is that if someone famous can unknowingly post their boarding pass, anyone can,” Mr Hope wrote.
Qantas say they have tightened their protocols.
They urge passengers to keep their booking details private.
“Our standard advice to customers is to not post pictures of the boarding pass, or to at least obscure the key personal information if they do, because of the detail it contains,” a spokesperson said.
Mr Abbott has since been issued a new passport number.
This article originally appeared on Over60.