Nice. Here's a similar personal story with a PSA that sometimes blurring is NOT sufficient.<p>A friend of mine posted on Instagram a picture of a U.S. visa (or something similar; it was probably five years ago) to announce her trip to the U.S., and she took care to blur out sensitive information such as her passport number. But a Gaussian blur is easy to reverse and I successfully unblurred it and told her my discovery. I didn't use any specialized software; it was just Mathematica with its built-in ImageDeconvolve function with guessed parameters for the Gaussian kernel.<p>I personally recommend blacking out (add a black rectangle) instead of blurring, and if it is a PDF, convert to an image afterwards because too many PDF editors use non-destructive operations to add a new object instead of changing what's underneath.
Apart from the really interesting content, this is an extremely good read, strikes me as the right kind of balance of information and keeping you entertained. I really enjoyed this writing style!
Some Grade A zingers in there:<p>> The man in question is Tony Abbott, one of Australia’s many former Prime Ministers.<p>> For security reasons, we try to change our Prime Minister every six months, and to never use the same Prime Minister on multiple websites.<p>> Harold Holt was another former Prime Minster and we… lost him? He disappeared while going for a swim one morning. This is not a joke. We named Harold Holt Memorial Swim Centre after him. I repeat, this is not a joke.
I feel like this buries the lede massively: Qantas' system was run by Amadeus, who also run the booking system for some 200 other airlines [0]. If you could do this with Qantas and get all those notes, you could probably do it to any other airline and get them too. That would be bad enough, but it also appears that this issue (or one very much like it) has been reported widely at least back in early 2019.<p>So, either Amadeus didn't fix the issue until it was disclosed here (very very bad) or Qantas didn't update their booking system for a security patch (<i>also</i> very bad).<p>[0] <a href="https://techcrunch.com/2019/01/15/amadeus-airline-booking-vulnerability-passenger-records/" rel="nofollow">https://techcrunch.com/2019/01/15/amadeus-airline-booking-vu...</a>
I found his advice to Tony on how to get better with computers remarkably insightful:<p>> I said there probably was a book out there about “the basics of IT”, but it wouldn’t help much. I didn’t learn from a book. 13 year old TikTok influencers don’t learn from a book. They just vibe.<p>> My mum always said when I was growing up that:<p>> There were “too many buttons”
She was afraid to press the buttons, because she didn’t know what they did
I can understand that, since grown ups don’t have the sheer dumb hubris of a child, and that’s what makes them afraid of the buttons.<p>> Like, when a toddler uses a spoon for the first time, they don’t know what a spoon is, where they are, or who the current Prime Minister is. But they see the spoon, and they see the cereal, and their dumb baby brain is just like “yeA” and they have a red hot go. And like, they get it wrong the first few times, but it doesn’t matter, because they don’t know to be afraid of getting it wrong. So eventually, they get it right.<p>> Okay so I didn’t tell the spoon thing to Tony Abbott, but I did tell him what I always told my mum, which was: “Mum you just gotta press all the buttons, to find out what they do”.
Great post, thoroughly enjoyed reading it.<p>BTW, on a side note, when you try and visit the blog's homepage[0] and scroll down to the bottom, you find a link to an actual (password protected) PDF file called Mango.pdf[1]. The author 'Alex' says the password for the PDF has been embedded in the page and it didn't take me a lot of time to figure the password out from the HTML source[2].<p>But when I opened the PDF, I was hit with this random string of characters:<p>cGJhdGVuZ2h5bmd2YmFmLCBsYmggZmJ5aXJxIHpsIHlodnR2IGNobW15ci4gQCB6ci
BiYSBnanZnZ3JlIGp2Z3UgbGJoZSBzbmliaGV2Z3IgcXJmZnJlZyBnYiB0cmcgbGJo
ZSBlcmpuZXEuIFZnJ2YgeXZ4ciwgYWJnIG4gaXJlbCB0YmJxIGVyam5lcSBmYiBodQ
o=<p>I tried to decode this using every available decoder, but it only throws up random result. Was wondering if any of you smart people here had any idea about this code.<p>[0] <a href="https://mango.pdf.zone/" rel="nofollow">https://mango.pdf.zone/</a><p>[1] <a href="https://mango.pdf.zone/mango.pdf" rel="nofollow">https://mango.pdf.zone/mango.pdf</a><p>[2] view-source:<a href="https://mango.pdf.zone/" rel="nofollow">https://mango.pdf.zone/</a><p>EDIT: SOLVED IT!<p>As the commenters who replied to me mentioned, this puzzle is double-encoded. I think the trick is to figure out which decoder to use first.
The power of Inspect Element. This is exactly how I found out I was underpaid[1]. A company I worked for used a software called erecruit to manage my contracts. When you click on a clients name, it makes an ajax request to fetch the data. Being a web developer, I inspected the data returned.<p>I'm pretty sure all the developer did was:<p><pre><code> echo json_encode($queryResult);
</code></pre>
I saw how much I was getting paid vs how much they were charging clients. I quickly changed my prices after that.<p>[1]: <a href="https://idiallo.com/blog/how-much-do-you-charge-for-your-work" rel="nofollow">https://idiallo.com/blog/how-much-do-you-charge-for-your-wor...</a>
I accidentally discovered a way to get hold of passport details of random people by applying for Visa on arrival to Vietnam. There are these online portals which do some document pre processing which is legit. And on landing in Vietnam we are expected to show that we have already applied for Visa. It so happens that these portals do batch processing. Which means my application is processed along with a half a dozen or so other random applicants.<p>And so I applied for one. And when I received the confirmation document I received the entire batch file. It included passport number, expiry date and other PII of ten random people which would be super valuable in the hands of criminals and such.<p>And conversely ten random people know my PII
This is one the of the funniest things I've read in recent memory. He made an Instagram post 30 second check of Chrome's dev tools into a narrative I couldn't stop reading. Thanks for brightening my day author!
I am very impressed by this piece. Something about how “Alex” manages to blend the kind of humor not typically associated with compassion or competence, with a story that is most spectacular because of the very compassionate and competent actions of its protagonist...I literally couldn’t stop reading.<p>So well done.
> “You could drop me in the bush and I’d feel perfectly confident navigating my way out, looking at the sun and direction of rivers and figuring out where to go, but this! Hah!”<p>I mean not to call him out but this did happen and he didn't navigate his way out (although that says nothing about his confidence).<p><a href="https://www.smh.com.au/national/tony-abbott-lost-in-the-outback-20100303-phd9.html" rel="nofollow">https://www.smh.com.au/national/tony-abbott-lost-in-the-outb...</a><p>EDIT: To be fair, it's been a decade. Maybe he's worked on his orienteering skills since having that experience?
I would encourage anyone interested in this article to read it thoroughly to the end. This is one of the most satisfying articles I’ve read recently and I really enjoy the author’s unique sense of humor.
The following line confuses me, because it contradicts a lot in the post.<p><i>Update: I have been arrested.</i><p>Is that just an obvious mistake? Or is there a news flash that we would like to hear more on?
I still find it strange you can manage a booking with just a reference and name. About ~5 years ago someone I follow on twitter posted their boarding pass and I replied to them with a screen shot asking if I should cancel the booking. They removed their post and I removed mine. But all it took was the reference on the boarding pass and their last name...
The hacker known as "Alex" also gave a really fun talk at PyCon AU in 2018: <a href="https://www.youtube.com/watch?v=ZlNkIFipKZ4" rel="nofollow">https://www.youtube.com/watch?v=ZlNkIFipKZ4</a>
It's nice to live in a country where not only do various parts of the government actively try to help someone with a really bizarre issue, but no one got arrested (or shot) for bullshit trumped-up hacking charges. I can't think of many other countries responding well to 'hi I'm some random person and I used the PM's boarding pass and found out all this secret stuff'
A few years back when I was looking to buy a house, I was interested in how long the property had been on the market. (I was looking in country towns and their outskirts, where six months is a typical time for a property to be on the market; I even saw one or two blocks of land that seemed to have been for sale for at least five or six years.) Few real estate agents tell you this on their websites (though if you ask, they may), and aggregators like domain.com.au and realestate.com.au don’t either. Except sometimes they do, in the markup. My vague recollection (I don’t have the scraping scripts I wrote handy right now, they’re just on my old laptop and backups) is that I found a JSON blob in the realestate.com.au mobile website containing two dates, and that the domain.com.au desktop website fetched a JSON response from an API which happened to contain one date. I ended up deciding that REA’s dates were when the listing was first seen and last updated, and the Domain one was one of those. Neither of these sites were actually <i>displaying</i> this date, but the data was there for me to take and feed into my research.<p>Careless or unwitting information disclosure from APIs—sometimes sensitive, sometimes not—is a real problem.
In some countries, identity documents are in relatively frequent use. The number of authorised strangers who would have access to one's identity document might be significantly higher in these jurisdictions than, say, the number who would be able to view Tony Abbott's passport number. I'm thinking of - for instance - the 'personnummer' in Sweden (I've heard friends recite theirs in public when asked for them).<p>Q: Should (merely) the <i>number</i> from your passport really be considered a secret?
Great read.<p>I really like the bit about learn "the IT", there's no book or anything to be good at computers you just gotta fuck around and find out a bunch.<p>> Like, when a toddler uses a spoon for the first time, they don’t know what a spoon is, where they are, or who the current Prime Minister is. But they see the spoon, and they see the cereal, and their dumb baby brain is just like “yeA” and they have a red hot go. And like, they get it wrong the first few times, but it doesn’t matter, because they don’t know to be afraid of getting it wrong. So eventually, they get it right.
I find it incredible that Abbott being openly vulnerable about his lack of competency with computers, has been more effective in making me like him than anything he has ever done in his political career.<p>Teams of media advisors and a very favorable alliance with the Murdock press have paled in comparison to this one blog post that didn't even have that as an aim.
Great talk [0] given during the 2016 congress touching on the Amadeus flight booking system and the danger of posting your boarding pass on social media<p>[0]: <a href="https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carmen_sandiego" rel="nofollow">https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...</a>
We blame these social networks for collecting vast amounts of our private data (yes we should), yet these folk have no problem of posting already sensitive information under a hashtag - creating an Aladdin's cave of identities waiting to be stolen for fraud as this blog-post has demonstrated.<p>'If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place' - Eric Schmidt<p>I guess they will learn the hard way given that they aren't really 'tech savvy' or internet wise these days.
Imagine doing something similar to a government application of an EU country and in 15 minutes finding a way to expose all citizen requests for an EORI number ever (some tens of thousands), with all personal details there for you to take. This was last year and in the meantime they updated their application from an ancient 2003 Oracle one to one that's more modern.<p>Thinking in perspective now, I regret not going out with it because that ancient application probably cost millions of euro from taxes.
This post was very amusing! It always bordered on silly meme-style writing, but never doing too much of it at once which I find annoying. The story itself was also very interesting!
Surprisingly good experience, and even a call from the man himself. I'm actually impressed, I expected way more incompetence and fumbling from a government.
Great read. If somebody is interest in another great talk about boarding pass data security, there is this one from 33c3: <a href="https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carmen_sandiego" rel="nofollow">https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...</a>
I don’t know if it’s just me or it’s the fact that I’m reading this on mobile on a small screen but I couldn’t stand the writing style. Curious to know if anyone else felt that way.
Out of curiosity a few months back I spent a few hours looking at this exact hashtag (#boardingpass) and other travel related hashtags.<p>I ended up thinking that Instagram was actively removing pictures of boarding passes because I could only find a surprisingly low amount of pictures containing valid Lastname/BookingRef. As for the few pictures available, the references were often either too old, or partially covered.<p>I'm still wondering if Instagram does remove such photos.
> If you laid all the people I contacted end to end along the equator, they would die, and you would be arrested.<p>Possibly the best line in an article full of really fantastic lines.
>I personally recommend blacking out (add a black rectangle) instead of blurring<p>This can be reversed as well, if you do black things out this way: please make sure you're using 100% opacity black. I've managed to retrieve data from plenty "blacked-out" documents simply by playing with contrast and exposure filters in Photoshop because the opacity wasn't set correctly.
Real question here is: should the passport number have any expectations of privacy?
It seems like such an easy thing to expose as you literally put it down on every document like hotel check ins etc. AFAIK it's not even a random number and instead it's generated from basic info like birth year/place/gender.<p>That being said it was a really good blog!
I like that there was such a good response to the disclosure from all the different parties, compared to this: <a href="https://research.digitalinterruption.com/2020/09/10/giggle-laughable-security/" rel="nofollow">https://research.digitalinterruption.com/2020/09/10/giggle-l...</a>
The tl;dr:<p>> Your boarding pass for a flight can sometimes be used to get your passport number. Don’t post your boarding pass or baggage receipt online, keep it as secret as your passport.<p>> How it works: The Booking Reference on the boarding pass can be used to log in to the airline’s “Manage Booking” page, which sometimes contains the passport number, depending on the airline. I saw that Tony Abbott had posted a photo of his boarding pass on Instagram, and used it to get his passport details, phone number, and internal messages between Qantas flight staff about his flight booking.
Amazingly written post, really enjoyable to read!<p>It's amazing that we have all those security protocols (HTTPS, e2e encryption, secure log-in, etc.) but in the end most of the "hacks" are just people being stupid or manipulated through social engineering.
This got picked up by the news in Australia [0], they also interviewed the author [1].<p>[0] <a href="https://www.abc.net.au/news/2020-09-19/tony-abbott-boarding-pass-online-cyber-safety-mistake/12678776" rel="nofollow">https://www.abc.net.au/news/2020-09-19/tony-abbott-boarding-...</a><p>[1] <a href="https://www.abc.net.au/radio/melbourne/programs/drive/alex-hope-hacking-tony-abbott-boarding-pass/12675504" rel="nofollow">https://www.abc.net.au/radio/melbourne/programs/drive/alex-h...</a>
Lately I am thinking about building a framework for web APIs where the database stores the owner, group and other's rights for each entity. The framework will then fetch data based on the user and fills the models based on the rights set for each field.<p>Exactly for the reason shown in the article.<p>I believe right now it is still too difficult to do this in any framework. That's why developers take shortcuts and just expose all entity data or just make a mistake and forget about it.<p>Does anyone know if such a framework already exists? So per field rights, not per entity rights.
Reminds me of the time I learned Jim Morrison's social security number from a framed form hanging on the wall next to my table at a Hard Rock Café, written in ballpoint pen, "redacted" with a magic marker that did nothing, obviously, to obfuscate the impression made by the pen in the paper.<p>While I have no idea how the SSN of a long-dead rock star could ever be useful, I'm certain I still have a copy saved around here somewhere...
For anyone who wants to do this easier... ZAP Proxy has a HUD display that will allow you to see the data flying on a page after you load it.<p>No need to do funky Inspect Element magic. Works wonders for reverse engineering how your fancy UI talks to the fancy API to do the fancy things.<p>If you can't figure out ZAP with HUD, you can alternatively use the Network tab on Chrome and switch to AJAX (if it's something that happens without the page loading)
Is the passport number supposed to be secret? You show them when you buy alcohol in some countries as well to the police if they ask for it - all of these people can copy the number if they so wish.
We are trying to fix this in the language ... It's just hard to convince people around that the change is worth it, I guess that I found the perfect use case.
To be honest, I find it ridiculous (just like with social security numbers) how much you can apparently do just by virtue of knowing a passport number.<p>It shouldn’t work like that.
is there a book about basics of IT?<p><a href="https://news.ycombinator.com/item?id=24492554" rel="nofollow">https://news.ycombinator.com/item?id=24492554</a>
It would've been faster and easier to report it to Instagram but this way it made a better story and educated the user better than instagram just removing the picture.
When your simple blog page is crashing Spice and virt-viewer, there is a serious bloat problem. I can't even view this blog because it immediately crashes.
A friendly advice to the author of this article. Even though I enjoyed reading the whole thing, if you are gonna have a tl;dr in your article; put it at the start, not at the end. Almost felt lika a mockery.
This write up... irreverent and dumb. Did you study any Dave Barry? <3 I would love to buy a book. I mean probably not me, but if you need any moneys