How I found out the prime minister’s passport number and phone number from a photo on Instagram*
Contents
- 1 Act 1: Noon Sundays
- 2 Examining the photo of the boarding pass
- 2.1 ▍ Step 1: Pride
- 2.2 ▍ Step 2: scan the barcode
- 2.3 ▍ Step 2: scan the barcode, but more diligently
- 2.4 ▍ Step 2: we notice that the reservation code is printed directly on the paper
- 2.5 ▍ Step 3: go to the airline’s website
- 2.6 ▍ Step 4: enter the reservation code
- 2.7 ▍ Step 5: Crimes (?)
- 2.8 ▍ Affairs
- 2.9 ▍ We won’t quit just because the web page says so
- 2.10 ▍ We study the HTML of the “Manage Booking” page
- 2.11 ▍ Oh, no
- 2.12 ▍ Oh, yes
- 2.13 ▍ Is there anything else on this page?
- 2.14 ▍ Prohibited airline code
- 3 What did I do?
Act 1: Noon Sundays
I did household chores, I didn’t think about anything bad, I drank water and in no way had
none
intent to engage in subversive activities against the Australian Union
And then I got a message in the “group chat”1.
Cute messages from my friend with a photo of the boarding pass. The good thing about messages from friends is that they do not carry any catastrophic consequences
The owner of the ticket was Tony Abbott, one of the many former Prime Ministers of Australia.
For security reasons, we try to change the PM every six months and never use the same PM on different websites.
▍ Photo of boarding pass
It was this former prime minister who posted a photo of his boarding pass on Instagram (in case you didn’t know, Instagram is an app you run on your phone if you want to watch an ad).
The boarding pass and baggage claim were present at the already distant post.
▍ “Can you break it?”
A friend of mine (whom I’ll call by his first name in the group chat, hogge moade) asked if I could “hack him”, not because I’m someone who regularly carries out government cyber changes, but because we were talking to him recently about boarding passes.
I was saying that people post pictures of boarding passes all the time, not knowing that they can sometimes be used to get passports and other information. They just write “hooray, I’m flying to otpuuusk!”, not realizing that they are fasting.
People publish their boarding passes because no one says they have to be kept secret
Meanwhile, some hacker is rubbing his hands in his dark web Discord saying “mmm, goodies, identity theft” because it happens very often.
I sat staring intently at the message wondering if I could crack it.
▍ Of course, I will not do this
Of course my friend didn’t
actually
asked me to hack the former prime minister.
However…
I have it need.
I mean what not do this? Wouldn’t you? interesting?
The former prime minister flashed his boarding pass. Is it bad? Does it put anyone at risk? I don’t know.
But I knew one thing for sure: Lesswhat can i do2 for my country, it’s just a little bit of searching for information in the browser.
Examining the photo of the boarding pass
▍ Step 1: Pride
I poked around a bit in the browser, got a photo of the boarding pass, and then… I don’t know what happened next.
Yes, I’ve heard it’s not a good idea to flash your boarding pass online because some boring 17-year-old hacker named Katie-senpai can somehow use it to steal your identity. But I didn’t know anyone with that experience, so I just clumsily tried to google something.
▍ Google “how to hack a boarding pass”
Eventually I found it
post
Which said that photos of boarding passes can indeed be used to commit crimes. For your criminal cases you will need a barcode because it contains a Booking Reference (eg
H8JA2A
).
Why do you need a reservation code? This is one of two pieces of data required to log in to the airline’s website to manage flight data.
The second part is… the last name. I was really hoping the second one would be something like a password. But no, it’s a reservation code that the airline mails to you and prints on your boarding pass. Is this enough to log into the account on the airline website?
▍ Step 2: scan the barcode
I’ve been practicing every morning until dawn, but I still can’t recognize barcodes visually. I had to run the barcode scanner on my phone, but when I tried to scan a photo from an Instagram post*, nothing came up:
I suspect you need to get rid of the blur first
▍ Step 2: scan the barcode, but more diligently
Well, maybe it didn’t scan because the photo was too blurry.
I spent about fifteen minutes on editing: processing the image, increasing the contrast and so on. Despite my best efforts, I was unable to scan the barcode.
▍ Step 2: we notice that the reservation code is printed directly on the paper
After scrutinizing this image for fifteen minutes, I noticed that the reservation code was simply printed on the baggage claim.
And I graduated from the university.
But he did not prepare me for this.
▍ Step 3: go to the airline’s website
Leaving from
such
moral shock, I went to the site
qantas.com.au
and clicked on “Manage Booking”. In case you don’t know because you live in a country with fast internet, Qantas is the largest airline in Australia.
▍ Step 4: enter the reservation code
A login form opened, in which you had to enter the reservation code and last name. I had already copied the code from the photo of the boarding pass and, of course, I knew the last name
3
.
I didn’t hesitate for a second, but… No, I had to find out.
▍ Step 5: Crimes (?)
Manage Booking page, I logged in as Anthony Abbott
▍ Affairs
Looks like I logged in as Tony Abbott. And who knows, maybe there’s someone else here with me who saw his Instagram post*. It’s nice to know we’re all here together. But from the point of view of the state, it may not be optimal.
▍ Was there something secret?
Then I just looked at the page incredibly carefully.
I saw Tony Abbott’s name (turns out he’s actually Anthony Abbott), takeoff and landing times, and a frequent flyer number, but nothing particularly secret. You will not commit any treason with a frequent flyer number. The flight had already taken place, so I couldn’t change anything.
The page said that the ticket was booked through a travel agent, so I assumed that was why some of the information was missing.
I clicked here and there, skimmed the page, but didn’t find any government secrets.
Probably, some would have already given up. But I, computer Icarus, was just too stupid to stop.
▍ We won’t quit just because the web page says so
I wanted to find out what else was interesting
within
pages It was enough for that
the only one
hacking tool known to me.
Right click and Inspect Element – that’s all you need to sabotage the Australian Union
▍ How does View Code work?
“View code”, as the name implies, is a feature of Google Chrome that allows you to view the internal computer description (HTML) of a web page. It’s like you’re opening a watch and watching a party thrown by gears.
Ahh, spin, little cogs. Now imagine the same thing happening with JavaScript
Everything you see when you click View Code is already downloaded to your computer, you just haven’t asked Chrome to show it yet. Cheap tricks like “View Code” are used by programmers to understand how a website works. But at the end of the day, these efforts are insignificant: no one will be able to understand how websites work. Unfortunately, the first time you see it, it it seems similar to hacking.
▍ We study the HTML of the “Manage Booking” page
I skimmed through the HTML of the page, not really understanding what it all meant, and desperately trying to find anything that looked like a strange place or secret.
Eventually, I realized that I wasn’t protecting my country effectively by reading HTML line by line, so I hit Ctrl+F and typed “passport” into the search.
▍ Oh, no
▍ Oh, yes
He’s just there
specified
.
At this point I was almost certain that I had found it extremely secret government document issued for 28th Prime Minister of the Australian Union, subject to Her Majesty Queen Elizabeth II [прим. пер.: оригинал статьи написан в 2020 году]ago a little worried that I was doing something illegal. But not illegal enough to stop me.
▍ Is there anything else on this page?
Yes, well, if this trove of computer spaghetti already has Tony Abbott’s passport number, there must be a lot more. Maybe this HTML contains the lost Sydney Opera House space launch codes or the Harold Holt mystery
4
?
Maybe there is a phone number?
I searched phone
and number
but found nothing, so I strained my mighty galactic-level mind and searched 614
– The first three digits of Australian telephone numbers.
▍ Strange capital letters
There was a strange pile of what I can only describe as extremely large letters. She looked like this:
RQST QF HK1 HNDSYD/03EN|FQTV QF HK1|CTCM QF HK1 614[phone number]|CKIN QF HN1 DO NOT SEAT ROW [row number] PLS SEAT LAST ROW OF [row letter] WINDOW
Yes, there is a lot of information here. The phone number was indeed found. But what is everything else?
I realized it was… Qantas employees talking to each other about Tony Abbott, but no with by him
There is a chapter in this correspondence of the century HITOMI CALLED RQSTING FASTTRACK FOR MR. ABBOTT
. Looks like Hitomi is asking another Qantas employee to “fasttrack” (I thought that only happened in movies) [прим. пер.: Fast track — это процедура ускоренной регистрации, без очередей и в приоритетном порядке].
▍ Why it’s a complete mess
What is going on here anyway? Why do Qantas staff communicate with each other through the passenger information field? Why are they sending these messages and the user’s passport number
him
after logging in to the website? But I never found out about it, because my attention was suddenly caught by…
▍ Prohibited airline code
I realized that all this jumble of capital letters must be some sort of airline code. Bright and intense googling led me to a bunch of ancient banned PDFs that explained some of the codes.
It seems they are called SSR (Special Service Request) codes. For example, there are codes “dishes for ovolactovegetarians” (VLML
), “vegetarian oriental dish” (VOML
), and even “vegetarian vegan dishes” (VGML
). I’m curious about these codes, so I’ll give some examples in case you’re curious too (stress yourself, I UMNR
):
RFTV Причина путешествия
UMNR Несовершеннолетний без сопровождения
PDCO Компенсация выбросов углерода (взимается оплата)
WEAP Оружие
DEPA Депортированное лицо, сопровождается эскортом
ESAN Пассажир с животным для эмоциональной поддержки в салоне
The phone number I found looked like this:
CTCM QF HK1 [телефонный номер]
. Googling “SSR CTCM” I came up with
developer guide
any airline association; looks like I’m actually a member now.
CTCM QF HK1
stands for “contact phone number of passenger 1”
▍ Is this his number?
I thought maybe the phone number belonged to a travel company, but
checked
and, judging by the requirements, it must be the passenger’s real phone number. That is, if my calculations are correct… *folds fingers into a house*… this is Tony Abbott’s phone number.
What did I do?
Now I have:
- Tony Abbott’s passport number.
- His phone number.
- Strange comments from Qantas staff.
Tony Abbott’s passport is probably
diplomatic passport
which is used by “official representatives of the Australian Government overseas”.
At this point, the defense of the country was over, and I had a few more thoughts:
- what did i do
- must find someone to invalidate Tony Abbott’s passport number
- and is it possible to make the passport number invalid?
- Could it turn out that I committed a crime?
[Прим. пер.: разбираться с последним вопросом автор начал во второй части статьи.]
* Instagram belongs to the company Meta, recognized as an extremist organization and banned in the Russian Federation.
1. This is one of those group chats where the name keeps changing and you have no idea who you’re talking to.
↩
2. To be honest, I didn’t want to just do some cheesy identity theft, I was wondering if he had posted something secret, because if he had, someone had to do something about it.
↩
3. The last name is also printed on the baggage receipt. So even if I didn’t know who posted this photo, everything I needed to verify the reservation was conveniently laid out on the receipt.
↩
4. Harold Holt is another former Prime Minister we just lost. One morning he went swimming and never came back. This is not a joke. We named it after him
swimming pool
. I repeat, this
not
joke.
↩
Telegram channel with discounts, prize draws and IT news 💻