AN AUSTRALIAN computer expert has exposed a vulnerability in the Qantas website which allowed him to discover the mobile number, passport details and Special Service Request (SSR) messages in a booking for former Australian Prime Minister Tony Abbott, based on details from an Instagram post in Mar this year.
Alex Hope described the simple exploit, which saw him use the PNR details from the post of Abbott’s boarding pass during a trip to Tokyo to log into the “Manage my Booking” facility on the Qantas site.
Examining the HTML code of the resulting page revealed a host of identity information, including the former PM’s date of birth, passport number, expiry date, full name, mobile phone and frequent flyer number.
There were also SSR messages requesting fast-track processing and a window seat in the last row of Business class.
Hope noted that the information found would be ideal for identity theft, and in a widely circulated blog post yesterday described his efforts to alert Qantas, the Government and Abbott himself about the issue.
On 30 Mar he emailed the QF security team, who responded a few days later saying they were “actively working on this”.
After no further response Hope followed up with Qantas in Jul, eventually resorting to getting in touch with the airline’s media team who confirmed the issue was being fixed by Amadeus.
Last month he was further advised that the bug had been rectified, with the airline thanking the hacker for refraining from making the issue public until the fix was in place.
QF said its standard advice to customers is not to post pictures of boarding passes.
The post QF Amadeus passport hack appeared first on Travel Daily.
Source: traveldaily