title image what's up twitter-large

Act 1: Sunday afternoon

So you know when you’re flopping about at home, minding your own business, drinking from your water bottle in a way that does not possess any intent to subvert the Commonwealth of Australia?

It’s a feeling I know all too well, and in which I was vigorously partaking when I got this message in “the group chat”1.

Can you hack this man?|medium A nice message from my friend, with a photo of a boarding pass 🙂 A good thing about messages from your friends is that they do not have any rippling consequences 🙂🙂🙂

The man in question is Tony Abbott, one of Australia’s many former Prime Ministers.

if u google tony abbott u get this|small That’s him, officer

For security reasons, we try to change our Prime Minister every six months, and to never use the same Prime Minister on multiple websites.2

The boarding pass photo

This particular former PM had just posted a picture of his boarding pass on Instagram (Instagram, in case you don’t know it, is an app you can open up on your phone any time to look at ads).

Instagram post showing boarding pass|large The since-deleted Instagram post showing the boarding pass and baggage receipt. The caption reads “coming back home from japan 😍😍 looking forward to seeing everyone! climate change isn’t real 😌 ok byeee”

“Can you hack this man?”

My friend3 (who we will refer to by their group chat name, 𝖍𝖔𝖌𝖌𝖊 𝖒𝖔𝖆𝖉𝖊) is asking4 whether I can “hack this man” not because I am the kind of person who regularly commits 𝒄𝒚𝒃𝒆𝒓 𝒕𝒓𝒆𝒂𝒔𝒐𝒏 on a whim, but because we’d recently been talking about boarding passes.

I’d said that people post pictures of their boarding passes all the time, not knowing that it can sometimes be used to get their passport number and stuff. They just post it being like “omg going on holidayyyy 😍😍😍”, unaware that they’re posting cringe.

screenshot of #boardingpass on instagram|medium People post their boarding passes all the time, because it’s not clear that they’re meant to be secret

Meanwhile, some hacker is rubbing their hands together, being all “yumyum identity fraud 👀” in their dark web Discord, because this happens a lot.

screenshot of #boardingpass on instagram


So there I was, making intense and meaningful eye contact with this chat bubble, asking me if I could “hack this man”.

Surely you wouldn’t

Of course, my friend wasn’t actually asking me to hack the former Prime Minister.






However.







You gotta.

I mean… what are you gonna do, not click it? Are you gonna let a link that’s like 50% advertising tracking ID tell you what to do? Wouldn’t you be curious?

The former Prime Minister had just posted his boarding pass. Was that bad? Was someone in danger? I didn’t know.

What I did know was: the least I could do5 for my country would be to have a casual browse 👀

Investigating the boarding pass photo

Step 1: Hubris

So I had a bit of a casual browse, and got the picture of the boarding pass, and then…. I didn’t know what was supposed to happen after that.

Well, I’d heard that it’s bad to post your boarding pass online, because if you do, a bored 17 year-old Russian boy called “Katie-senpai” might somehow use it to commit identity fraud. But I don’t know anyone like that, so I just clumsily googled some stuff.

Googling how 2 hakc boarding pass

uhhh|small

Eventually I found a blog post explaining that yes, pictures of boarding passes can indeed be used for Crimes. The part you wanna be looking at for all your criming needs is the barcode, because it’s got the “Booking Reference” (e.g. H8JA2A) in it.

Why do you want the booking reference? It’s one of the two things you need to log in to the airline website to manage your flight.

The second one is your… last name. I was really hoping the second one would be like a password or something. But, no, it’s the booking reference the airline emails you and prints on your boarding pass. And it also lets you log in to the airline website?

That sounds suspiciously like a password to me, but like I’m still fine to pretend it’s not if you are.

Step 2: Scan the barcode

I’ve been practicing every morning at sunrise, but still can’t scan barcodes with my eyes. I had to settle for a barcode scanner app on my phone, but when I tried to scan the picture in the Instagram post, it didn’t work :((

the boarding pass photo Maybe I shouldn’t have blurred out the barcode first

Step 2: Scan the barcode, but more

Well, maybe it wasn’t scanning because the picture was too blurry.

I spent around 15 minutes in an “enhance, ENHANCE” montage, fiddling around with the image, increasing the contrast, and so on. Despite the montage taking up way too much of the 22 minute episode, I couldn’t even get the barcode to scan6.

Step 2: Notice that the Booking Reference is printed right there on the paper

After staring at this image for 15 minutes, I noticed the Booking Reference is just… printed on the baggage receipt.

I graduated university.

But it did not prepare me for this.

Boarding pass with booking reference highlighted askdjhaflajkshdflkh

Step 3: Visit the airline’s website

Manage booking login screen with empty fields-large

After recovering from that emotional rollercoaster, I went to qantas.com.au, and clicked “Manage Booking”. In case you don’t know it because you live in a country with fast internet, Qantas is the main airline here in Australia.

(I also very conveniently started recording my screen, which is gonna pay off big time in just a moment.)

Step 4: Type in the Booking Reference

Well, the login form was just… there, and it was asking for a Booking Reference and a last name. I had just flawlessly read the Booking Reference from the boarding pass picture, and, well… I knew the last name7.

I did hesitate for a split-second, but… no, I had to know.

Step 5: Crimes(?)

youngman.mp4

The logged in "manage booking page" The “Manage Booking” page, logged in as some guy called Anthony Abbott

Can I get a YIKES in the chat

Leave a comment if you really felt that.

yikes

I guess I was now logged the heck in as Tony Abbott? And for all I know, everyone else who saw his Instagram post was right there with me. It’s kinda wholesome, to imagine us all there together. But also probably suboptimal in a governmental sense.

Was there anything secret in here?

I then just incredibly browsed the page, browsed it so hard.

I saw Tony Abbott’s name8, flight times, and Frequent Flyer number, but not really anything super secret-looking. Not gonna be committing any cyber treason with a Frequent Flyer number. The flight was in the past, so I couldn’t change anything, either.

The page said the flight had been booked by a travel agent, so I guessed some information would be missing because of that.

I clicked around and scrolled a considerable length, but still didn’t find any government secrets.

Some people might give up here. But I, the Icarus of computers, was simply too dumb to know when to stop.

We’re not done just because a web page says we’re done

I wanted to see if there were juicy things hidden inside the page. To do it, I had to use the only hacker tool I know.

Right click > Inspect-small Right click > Inspect Element, all you need to subvert the Commonwealth of Australia

Listen. This is the only part of the story that might be confused for highly elite computer skill. It’s not, though. Maybe later someone will show you this same thing to try and flex, acting like only they know how to do it. You will not go gently into that good night. You will refuse to acknowledge their flex, killing them instantly.

How does “Inspect Element” work?

“Inspect Element”, as it’s called, is a feature of Google Chrome that lets you see the computer’s internal representation (HTML) of the page you’re looking at. Kinda like opening up a clock and looking at the cool cog party inside.

cog party|small Yeahhh go little cogs, look at ‘em absolutely going off. Now imagine this but with like, JavaScript

Everything you see when you use “Inspect Element” was already downloaded to your computer, you just hadn’t asked Chrome to show it to you yet. Just like how the cogs were already in the watch, you just hadn’t opened it up to look.

But let us dispense with frivolous cog talk. Cheap tricks such as “Inspect Element” are used by programmers to try and understand how the website works. This is ultimately futile: Nobody can understand how websites work. Unfortunately, it kinda looks like hacking the first time you see it.

If you’d like to know more about it, I’ve prepared a short video.

Browsing the “Manage Booking” page’s HTML

I scrolled around the page’s HTML, not really knowing what it meant, furiously trying to find anything that looked out of place or secret.

I eventually realised that manually reading HTML with my eyes was not an efficient way of defending my country, and Ctrl + F’d the HTML for “passport”.

oh no

Blurred screenshot of close up "passport" number

Oh yes

It’s just there.

At this point I was fairly sure I was looking at the extremely secret government-issued ID of the 28th Prime Minister of the Commonwealth of Australia, servant to her Majesty Queen Elizabeth II and I was kinda worried that I was somehow doing something wrong, but like, not enough to stop.

….anything else in this page?

Well damn, if Tony Abbott’s passport number is in this treasure trove of computer spaghetti, maybe there’s wayyyyy more. Perhaps this HTML contains the lost launch codes to the Sydney Opera House, or Harold Holt9.

Maybe there’s a phone number?

Searching for phone and number didn’t get anywhere, so I searched for 614, the first 3 digits of an Australian phone number, using my colossal and highly celestial galaxy brain.

Weird uppercase letters

A weird pile of what I could only describe as extremely uppercase letters came up. It looked like this:

RQST QF HK1 HNDSYD/03EN|FQTV QF HK1|CTCM QF HK1 614[phone number]|CKIN QF HN1 DO NOT SEAT ROW [row number] PLS SEAT LAST ROW OF [row letter] WINDOW

So, there’s a lot going on here. There is indeed a phone number in here. But what the heck is all this other stuff?

I realised this was like… Qantas staff talking to eachother about Tony Abbott, but not to him?

In what is surely the subtweeting of the century, it has a section saying HITOMI CALLED RQSTING FASTTRACK FOR MR. ABBOTT. Hitomi must be requesting a “fasttrack” (I thought that was only a thing in movies???) from another Qantas employee.

This is messed up for many reasons

What is even going on here? Why do Qantas flight staff talk to eachother via this passenger information field? Why do they send these messages, and your passport number to you when you log in to their website? I’ll never know because I suddenly got distracted with

Forbidden airline code

I realised the allcaps muesli I saw must be some airline code for something. Furious and intense googling led me to several ancient forbidden PDFs that explained some of the codes.

Apparently, they’re called “SSR codes” (Special Service Request). There are codes for things like “Vegetarian lacto-ovo meal” (VLML), “Vegetarian oriental meal” (VOML), and even “Vegetarian vegan meal” (VGML). Because I was curious about these codes, here’s some for you to be curious about too (tag urself, I’m UMNR):

RFTV    Reason for Travel
UMNR    Unaccompanied minor
PDCO    Carbon Offset (chargeable)
WEAP    Weapon
DEPA    Deportee—accompanied by an escort
ESAN    Passenger with Emotional Support Animal in Cabin

The phone number I found looked like this: CTCM QF HK1 [phone number]. Googling “SSR CTCM” led me to the developer guide for some kind of airline association, which I assume I am basically a member of now.

CTCM|medium CTCM QF HK1 translates as “Contact phone number of passenger 1”

Is the phone number actually his?

I thought maybe the phone number belonged to the travel agency, but I checked and it has to be the passenger’s real phone number. That would be, if my calculations are correct,,,, *steeples fingers* Tony Abbott’s phone number.

what have i done

I’d now found Tony Abbott’s:

  • Passport details
  • Phone number
  • Weird Qantas staff comments.

My friend who messaged me had no idea.

Tony Abbott’s passport is probably a Diplomatic passport, which is used to “represent the Australian Government overseas in an official capacity”.

what have i done

By this point I’d had enough defending my country, and had recently noticed some new thoughts in my brain10, which were:

  • oh jeez oh boy oh jeez
  • i gotta get someone, somehow, to reset tony abbott’s passport number
  • can you even reset passport numbers
  • is it possible that i’ve done a crime

Intermission

anime is real


Act 2: Do not get arrested challenge 2020

In this act, I, your well-meaning but ultimately incompetent protagonist, attempt to do the following things:

  • ⬜ figure out whether i have done a crime
  • ⬜ notify someone (tony abbott?) that this happened
  • ⬜ get permission to publish this here blog post
  • ⬜ tell qantas about the security issue so they can fix it

Spoilers: This takes almost six months.


Let’s skip the boring bits

I contacted a lot of people about this. If my calculations are correct11, I called at least 30 phone numbers, to say nothing of The Emails. If you laid all the people I contacted end to end along the equator, they would die, and you would be arrested. Eventually I started keeping track of who I talked to in a note I now refer to as “the hashtag struggle”.

I’m gonna skip a considerable volume of tedious and ultimately unsatisfying telephony, because it’s been a long day of scrolling already, and you need to save your strength.

Alright strap yourself in and enjoy as I am drop-kicked through the goal posts of life.


Part 1: is it possible that i’ve done a crime

I didn’t think anything I did sounded like a crime, but I knew that sometimes when the other person is rich or famous, things can suddenly become crimes. Like, was there going to be some Monarch Law or something? Was Queen Elizabeth II gonna be mad about this?

My usual defence against being arrested for hacking is making sure the person being hacked is okay with it. You heard me, it’s the power of ✨consent✨. But this time I could uh only get it in retrospect, which is a bit yikes.

So I was wondering like… was logging in with someone else’s booking reference a crime? Was having someone else’s passport number a crime? What if they were, say, the former Prime Minister? Would I get in trouble for publishing a blog post about it? I mean you’re reading the blog post right now so obviousl

Update: I have been arrested.

Just straight up Reading The Law

It turned out I could just google these things, and before I knew it I was reading “the legislation”. It’s the rules of the law, just written down.

Look, reading pages of HTML? No worries. Especially if it’s to defend my country. But whoever wrote the legislation was just making up words.

Eventually, I was able to divine the following wisdoms from the Times New Roman tea leaves:

  • Defamation is where you get in trouble for publishing something that makes someone look bad.
    • But, it’s fine for me to blog about it, since it’s not defamation if you can prove it’s true
  • Having Tony Abbott’s passport number isn’t a crime
    • But using it to commit identity fraud would be
  • There are laws about what it’s okay to do on a computer
    • The things it’s okay to do are: If u EVER even LOOK at a computer the wrong way, the FBI will instantly slam dunk you in a legal fashion dependent on the legislation in your area

I am possibly the furthest thing you can be from a lawyer. So, I’m sure I don’t need to tell you not to take this as legal advice. But, if you are the kind of person who takes legal advice from mango blog posts, who am I to stand in your way? Not a lawyer, that’s who. Don’t do it.

You know what, maybe I needed help. From an adult. Someone whose 3-year old kid has been buying iPad apps for months because their parents can’t figure out how to turn it off.

“Yeah, maybe I should get some of that free government legal advice”, I thought to myself, legally. That seemed like a pretty common thing, so I thought it should be easy to do. I took a big sip of water and googled “free legal advice”.

trying to ask a lawyer if i gone and done a crime

Before I went and told everyone about my HTML frolicking, I spent a week calling legal aid numbers, lawyers, and otherwise trying to figure out if I’d done a crime12.

During this time, I didn’t tell anyone what I’d done. I asked if any laws would be broken if “someone” had “logged into a website with someone’s publicly-posted password and found the personal information of a former politician”. Do you see how that’s not even a lie? I’m starting to see how lawyers do it.

First I call the state government’s Legal Aid number. They tell me they don’t do that here, and I should call another Legal Aid place named something slightly different.

The second place tells me they don’t do that either, and I should call the First Place and “hopefully you get someone more senior”.

I call the First Place again, and they say “oh you’ve been given the run around!”. You see where this is going.

Let’s skip a lot of phone calls. Take my hand as I whisk you towards the slightly-more-recent past. Based on advice I got from two independent lawyers that was definitely not legal advice: I haven’t done a crime.

Helllllll yeah. But I mean it’s a little late because I forgot to mention that by this point I had already emailed explicit details of my activities to the Australian Government.


  • ☑️ figure out whether i have done a crime
  • ⬜ notify someone (tony abbott?) that this happened
  • ⬜ get permission to publish this here blog post
  • ⬜ tell qantas about the security issue so they can fix it

Part 2: trying to report the problem to someone, anyone, please

I had Tony Abbott’s passport number, phone number, and weird Qantas messages about him. I was the only one who knew I had these.

Anyone who saw that Instagram post could also have them. I felt like I had to like, tell someone about this. Someone with like, responsibilities. Someone with an email signature.

wait but do u see the irony in this, u have his phone number right there so u could just-

Yes I see it thank u for pointing this out, wise, astute, and ultimately self-imposed heading. I knew I could just call the number any time and hear a “G’day” I’d never be able to forget. I knew I had a rare opportunity to call someone and have them ask “how did you get this number!?”.

But you can’t just do that.

You can’t just call someone’s phone number that you got by rummaging around in the HTML ball pit. Tony Abbott didn’t want me to have his phone number, because he didn’t give it to me. Maybe if it was urgent, or I had no other option, sure. But I was pretty sure I should do this the Nice way, and show that I come in peace.

I wanted to show that I come in peace because there’s also this pretty yikes thing that happens where you email someone being all like “henlo ur website let me log in with username admin and password admin, maybe u wanna change that??? could just be me but let me kno what u think xoxo alex” and then they reply being like “oh so you’re a HACKER and a CRIMINAL and you’ve HACKED ME AND MY FAMILY TOO and this is a RANSOM and ur from the DARK WEB i know what that is i’ve seen several episodes of mr robot WELL watch out kiddO bc me and my lawyers are bulk-installing tens of thousands of copies of McAfee® Gamer Security as we speak, so i’d like 2 see u try”

Surely you just contact Tony Abbott officially

I googled “tony abbott contact”, but there’s only his official website. There’s no phone number on it, only a “contact me” form.

Contact me form|medium I imagine there have been some passionate opinions typed into this form at 9pm on a Tuesday

Yeah right, have you seen the incredible volume of #content people want to say at politicians? No way anyone’s reading that form.

I later decided to try anyway, using the same Inspect Element ritual from earlier. Looking at the network requests the page makes, I divined that the “Contact me” form just straight up does not work. When you click “submit”, you get an error, and nothing gets sent.

Contact us 403| This is an excellent way of using computers to solve the problem of “random people keep sending me angry letters”

Well rip I guess13. I eventually realised the people to talk to were probably the government.

The government

It’s a big place.

In the beginning, humans developed the concept of language by banging rocks together and saying “oof, oog, and so on”. Then something went horribly wrong, and now people unironically begin every sentence with “in regards to”. Our story begins here.

The government has like fifty thousand million different departments, and they all know which acronyms to call each other, but you don’t. If you EVER call it DMP&C instead of DPM&C you are gonna be express email forwarded into a nightmare realm the likes of which cannot be expressed in any number of spreadsheet cells, in spite of all the good people they’ve lost trying.

I didn’t even know where to begin with this. Desperately, I called Tony Abbott’s former political party, who were all like

they were all like this-medium

Skip skip skip a few more calls like this.

Maybe I knew someone who knew someone

That’s right, the true government channels were the friends we made along the way.

I asked hacker friends who seemed like they might know government security people. “Where do I report a security issue with like…. a person, not a website?”

They told me to call… 1300 CYBER1?

1300 CYBER1

I don’t really have a good explanation for this so I’m just gonna post the screenshots.

Screenshot of 1300 CYBER1 chat|small My friend showing me where to report a security issue with the government. I’m gonna need you to not ask any questions about the profile pictures.

cyber1website Uhhh no wait I don’t wanna click any of these

Screenshot of 1300 CYBER1 chat second half|large The planet may be dying, but we live in a truly unparalleled age of content.

You know I smashed that call button on 1300 CYBER1. Did they just make it 1300 CYBER then realise you need one more digit for a phone number? Incredible.

Calling 1300 c y b e r o n e

“Yes yes hello, ring ring, is this 1300 cyber one”? They have to say yes if you ask that. They’re legally obligated.

The person who picked up gave me an email address for ASD (the Australian flavour of America’s NSA), and told me to email them the details.

Emailing the government my crimes

Feeling like the digital equivalent of three kids in a trenchcoat, I broke out my best Government Email dialect and emailed ASD, asking for them to call me if they were the right place to tell about this.

ASD email|medium Sorry for the clickbait subject but well that’s what happened???

Fooled by my flawless disguise, they replied instantly (in a relative sense) asking for more details.

ASD reply|medium “Potential” exposure, yeah okay. At least the subject line had “[SEC=Sensitive]” in it so I _knew_ I’d made it big

I absolutely could provide them with more information, so I did, because I love to cooperate with the Australian government.

I also asked whether they could give me permission to publish this blog post, and they were all like “Seen 2:35pm”. Eventually, after another big day of getting left on read by the government, they replied, being all like “thanks kiddO, we’re doing like, an investigation and stuff, so we’ll take it from here”.

Overall, ASD were really nice to me about it and happy that I’d helped. They encouraged me to report this kind of thing to them if it happened again, but I’m not really in the business of uhhhhhhhh whatever the heck this is.

By the way, at this point in the story (chronologically) I had no idea if what I was emailing the government was actually the confession to a crime, since I hadn’t talked to a lawyer yet. This is widely regarded as a bad move. I do not recommend anyone else use “but I’m being so helpful and earnest!!!” as a legal defence. But also I’m not a lawyer, so idk, maybe it works?

Wholesomely emailing the government

At one point in what was surely an unforgettable email chain, the person I was emailing added a P.S. containing…. the answer to the puzzle hidden on this website. The one you’re reading this blog on right now. Hello. I guess they must have found this website (hi asd) by stalking the email address I was sending from. This is unprecedented and everything, but:

  1. The puzzle says to tweet the answer at me, not email me
  2. The prize for doing the puzzle is me tweeting this gif of a shakas to you14

shakas.gif|tiny yeahhhhhhhhhh, nice

So I guess I emailed the shakas gif to the government??? Yeah, I guess I did.

shakas attached dw Please find attached

Can I write about this?

I asked them if they could give me permission to write this blog post, or who to ask, and they were like “uhhhhhhhhhhh” and gave me two government media email addresses to try. Listen I don’t wanna be an “ummm they didn’t reply to my emAiLs” kinda person buT they simply left me no choice.

Still, defending the Commonwealth was in ASD’s hands now, and that’s a win for me at this point.


  • ☑️ figure out whether i have done a crime
  • ☑️ notify someone (The Government) that this happened
  • ⬜ get permission to publish this here blog post
  • ⬜ tell qantas about the security issue so they can fix it

Part 3: Telling Qantas the bad news

The security issue

Hey remember like fifteen minutes ago when this post was about webpages?

I’m guessing Qantas didn’t want to send the customer their passport number, phone number, and staff comments about them, so I wanted to let them know their website was doing that. Maybe the website was well meaning, but ultimately caused more harm than good, like how that time the bike path railings on the Golden Gate Bridge accidentally turned it into the world’s largest harmonica.

Unblending the smoothie

But why does the website even send you all that stuff in the first place? I don’t know, but to speculate wildly: Maybe the website just sends you all the data it knows about you, and then only shows you your name, flight times, etc, while leaving the passport number etc. still in the page.

If that were true, then Qantas would want to unblend the digital smoothie they’ve sent you, if you will. They’d want to change it so that they only send you your name and flight times and stuff (which are a key ingredient of the smoothie to be sure), not the whole identity fraud smoothie.

Smoothie evangelism

I wanted to tell them the smoothie thing, but how do I contact them?

The first place to check is usually company.com/security, maybe that’ll w-

qantas security not found|small Okay nevermind

Okay fine maybe I should just email [email protected] surely that’s it? I could only find a phone number to report security problems to, and I wasn’t sure if it was like…. airport security?

So I just… called the number and was like “heyyyy uhhhh I’d like to report a cyber security issue?”, and the person was like “yyyyya just email [email protected]” and i was like “ok sorrY”.

Time to email Qantas I guess

I emailed Qantas, being like “beep boop here is how the computer problem works”.

Email to Qantas security-medium

(Have you been wondering about the little dots in this post? Click this one for the rest of the email 15.)

A few days later, I got this reply.

Reply from Qantas security-medium

And then I never heard from this person again

Airlines were going through kinda a struggle at the time, so I guess that’s what happened?

pls|medium if ur still out there Shr Security i miss u

Struggles

After filling up my “get left on read” combo meter, I desperately resorted to calling Qantas’ secret media hotline number16.

They said the issue was being fixed by Amadeus, the company who makes their booking software, rather than with Qantas itself. I’m not sure if that means other Amadeus customers were also affected, or if it was just the way Qantas was using their software, or what.

It’s common to give companies 90 days to fix the bug, before you publicly disclose it. It’s a tradeoff between giving them enough time to fix it, and people being hacked because of the bug as long as it’s out there.

But, well, this was kinda a special case. Qantas was going through some #struggles, so it was taking longer. Lots of their staff were stood down, and the world was just generally more cooked. At the same time, hardly anybody was flying at the time, due to see above re: #struggles. So, I gave Qantas as much time as they needed.

Five months later

The world is a completely different place, and Qantas replies to me, saying they fixed the bug. It did take five months, which is why it took so long for you and I to be having this weird textual interaction right now.

I don’t have a valid Booking Reference, so I can’t actually check what’s changed. I asked a friend to check (with an expired Booking Reference), and they said they didn’t see a mention of “documentNumber” anymore, which sounds like the passport number is no longer there. But That’s Not Science, so I don’t know for sure.

I originally found the bug in March, which was about 60 years ago. BUT we got there baybee, Qantas emailed me saying the bug had been fixed on August 21. They later told me they actually fixed the bug in July, but the person I was talking to didn’t know about it until August.

Qantas also said this when I asked them to review this post:

Thanks again for letting us have the opportunity to review and again for refraining from posting until the fix was in place for vulnerability.

Our standard advice to customers is not to post pictures of the boarding pass, or to at least obscure the key personal information if they do, because of the detail it contains.

We appreciate you bringing it to our attention in such a responsible way, so we could fix the issue, which we did a few months ago now.

I couldn’t find any advice on their website about not posting pictures of customer boarding passes, only news articles about how Qantas stopped printing the Frequent Flyer number on the boarding pass last year, because… well, you can see why.

I also asked Qantas what they did to fix the bug, and they said:

Unfortunately we’re not able to provide the details of fix as it is part of the protection of personal information.

:((


  • ☑️ figure out whether i have done a crime
  • ☑️ notify someone (The Government) that this happened
  • ⬜ get permission to publish this here blog post
  • ☑️ tell qantas about the security issue so they can fix it

Part 4: Finding Tony Abbott

Like 2003’s Finding Nemo, this section was an emotional rollercoaster.

The government was presumably helping Tony Abbott reset his passport number, and making sure his current one wasn’t being used for any of that yucky identity fraud.

But, much like Shannon Noll’s 2004 What About Me?, what about me? I really wanted to write a blog post about it, you know? So I could warn people about the non-obvious risk of sharing their boarding passes, and also make dumb and inaccessible references to the early 2000s.

The government people I talked to couldn’t give me permission to write this post, so rather than willingly wandering deeper into the procedurally generated labyrinth of government department email addresses (it’s dark in there), I tried to find Tony Abbott or his staff directly.

Calling everybody in Australia one by one

I called Tony Abbott’s former political party again, and asked them how to contact him, or his office, or something I’m really having a moment rn. They said they weren’t associated with him anymore, and suggested I call Parliament House, like I was the Queen or something.

picture of parliament house

In case you don’t know it, Parliament House is sorta like the White House, I think? The Prime Minister lives there and has a nice little garden out the back with a macadamia tree that never runs out, and everyone works in different colourful sections like “Making it so Everyone Gets a Fair Shake of the Sauce Bottle R&D” and “Mateship” and they all wear matching uniforms with lil kangaroo and emu hats, and they all do a little dance every hour on the hour to celebrate another accident-free day in the Prime Minister’s chocolate factory.

calling parliament house i guess

Not really sure what to expect, I called up and was all like “yeah bloody g’day, day for it ay, hot enough for ya?”. Once the formalities were out of the way, I skipped my usual explanation of why I was calling and just asked point-blank if they had Tony Abbott’s contact details.

The person on the phone was casually like “Oh, no, but I can put you through to the Serjeant-at-arms, who can give you the contact details of former members”. I was like “…..okay?????”. Was I supposed to know who that was? Isn’t a Serjeant like an army thing?

But no, the Serjeant-at-arms was just a nice lady who told me “he’s in a temporary office right now, and so doesn’t have a phone number. I can give you an email address or a P.O. box?”. I was like “ok th-thank you your majesty”.

It felt a bit weird just…. emailing the former PM being like “boy do i have bad news for you”, but I figured he probably wouldn’t read it anyway. If it was that easy to get this email address, everyone had it, and so nobody was likely to be reading the inbox.

Spoilers: It didn’t work.

Finding Tony Abbott’s staff

I roll out of bed and stare bleary-eyed into the morning sun, my ultimate nemesis, as Day 40 of not having found Tony Abbott’s staff begins.

This time for sure.

Retinas burning, in a moment of determination/desperation/hubris, I went and asked even more people that might know how to contact Tony Abbott’s staff.

I asked a journalist friend, who had the kind of ruthlessly efficient ideas that come from, like, being a professional journalist. They suggested I find Tony Abbott’s former staff from when he was PM, and contact their offices and see if they have his contact details.

It was a strange sounding plan to me, which I thought meant it would definitely work.

Wikipedia stalking

Apparently Prime Ministers themselves have “ministers” (not prime), and those are their staff. That’s who I was looking for.

Screenshot of Tony Abbott's former staff-medium Big “me and the boys” energy

Okay but, the problem was that most of these people are retired now, and the glory days of 2013 are over. Each time I hover over one of their names, I see “so-and-so is a former politician and….” and discard their Wikipedia page like a LeSnak wrapper into the wind.

Eventually though, I saw this minister.

Screenshot of Scomo in the list Oh he definitely has an office.

That’s the current Prime Minister of Australia (at the time of writing, that is, for all I know we’re three Prime-Ministers deep into 2020 by the time you read this), you know he’s definitely gonna be easier to find.

Let’s call the Prime Minister’s office I guess?

Easy google of the number, absolutely no emotional journey resulting in my growth as a person this time.


When I call, I hear what sounds like two women laughing in the background? One of them answers the phone, slightly out of breath, and says “Hello, Prime Minister’s office?”. I’m like “….hello? Am I interrupting something???”.

I clumsily explain that I know this is Scott Morrison’s office, but I actually was wondering if they had Tony Abbott’s contact details, because it’s for “a time-sensitive media enquiry”17, and I j- She interrupts to explain “so Tony Abbott isn’t Prime Minister anymore, this is Scott Morrison’s office” and I’m like “yA I know please I am desperate for these contact details”.

She says “We wouldn’t have that information but I’ll just check for you” and then pauses for like, a long time? Like 15 seconds? I can only wonder what was happening on the other end. Then she says “Oh actually I can give you Tony Abbott’s personal assistant’s number? Is that good?”.

Ummmm YES thanks that’s what I’ve been looking for this whole time? Anyway brb i gotta go be uh a journalist or something.

Calling Tony Abbott’s personal assistant’s personal assistant

I fumble with my phone, furiously trying to dial the number.

I ask if I’m speaking to Tony Abbott’s personal assistant. The person on the other end says no, but he is one of Tony Abbott’s staff. It has been a long several months of calling people. The cold ice is starting to thaw. One day, with enough therapy, I may be able to gather the emotional resources necessary to call another government phone number.

I explain the security issue I want to report, and midway through he interrupts with “sorry…. who are you and what’s the organisation you’re calling from?” and I’m like “uhhhh I mean my name is Alex and uhh I’m not calling from any organisation I’m just like a person?? I just found this thing and…”.

The person is mercifully forgiving, and says that he’ll have to call me back. I stress once again that I’m calling to help them, happy to wait to publish until they feel comfortable, and definitely do not warrant the bulk-installation of antivirus products.

Calling Tony Abbott’s personal assistant

An hour later, I get a call from a number I don’t recognise.

He explains that the guy I talked to earlier was his assistant, and he’s Tony Abbott’s PA. Folks, we made it. It’s as easy as that.

He says he knows what I’m talking about. He’s got the emails. He’s already in the process of getting Tony Abbott a new passport number. This is the stuff. It’s all coming together.

I ask if I can publish a blog post about it, and we agree I’ll send a draft for him to review.

And then he says

“These things do interest him - he’s quite keen to talk to you”

I was like exCUSE me? Tony Abbott, Leader of the 69th Ministry of Australia, wants to call me on the phone? I suppose I owe this service to my country?

This story was already completely cooked so sure, whatever. I’d already declared emotional bankruptcy, so nothing was coming as a surprise at this point.

I asked what he wanted to talk about. “Just to pick your brain on these things”. We scheduled a call for 3:30 on Monday.

And then Tony Abbott just… calls me on the phone?

Mostly, he wanted to check whether his understanding of how I’d found his passport number was correct (it was). He also wanted to ask me how to learn about “the IT”.

He asked some intelligent questions, like “how much information is in a boarding pass, and what do people like me need to know to be safe?”, and “why can you get a passport number from a boarding pass, but not from a bus ticket?”.

The answer is that boarding passes have your password printed on them18, and bus tickets don’t. You can use that password to log in to a website (widely regarded as a bad move), and at that point all bets are off, websites can just do whatever they want.

He was vulnerable, too, about how computers are harder for him to understand.

“It’s a funny old world, today I tried to log in to a [Microsoft] Teams meeting (Teams is one of those apps), and the fire brigade uses a Teams meeting. Anyway I got fairly bamboozled, and I can now log in to a Teams meeting in a way I couldn’t before19.

It’s, I suppose, a terrible confession of how people my age feel about this stuff.”

Then the Earth stopped spinning on its axis.

For an instant, time stood still.

Then he said it:

“You could drop me in the bush and I’d feel perfectly confident navigating my way out, looking at the sun and direction of rivers and figuring out where to go, but this! Hah!”

This was possibly the most pure and powerful Australian energy a human can possess, and explains how we elected our strongest as our leader. The raw energy did in fact travel through the phone speaker and directly into my brain, killing me instantly.

When I’d collected myself from various corners of the room, he asked if there was a book about the basics of IT, since he wanted to learn about it. That was kinda humanising, since it made me realise that even famous people are just people too.

Anyway I hadn’t heard of a book that was any good, so I told a story about my mum instead.

A story about my mum instead

I said there probably was a book out there about “the basics of IT”, but it wouldn’t help much. I didn’t learn from a book. 13 year old TikTok influencers don’t learn from a book. They just vibe.

My mum20 always said when I was growing up that:

  1. There were “too many buttons”
  2. She was afraid to press the buttons, because she didn’t know what they did

I can understand that, since grown ups don’t have the sheer dumb hubris of a child, and that’s what makes them afraid of the buttons.

Like, when a toddler uses a spoon for the first time, they don’t know what a spoon is, where they are, or who the current Prime Minister is. But they see the spoon, and they see the cereal, and their dumb baby brain is just like “yeA” and they have a red hot go21. And like, they get it wrong the first few times, but it doesn’t matter, because they don’t know to be afraid of getting it wrong. So eventually, they get it right.

yeA leaked footage of me learning how to hack

Okay so I didn’t tell the spoon thing to Tony Abbott, but I did tell him what I always told my mum, which was: “Mum you just gotta press all the buttons, to find out what they do”22.

He was like “Oh, you just learn by trial and error”. Exactly! Now that I think about it, it’s a bit scary. We are dumb babies learning to use a spoon for the first time, except if you do it wrong some clown writes a blog post about you. Anyway good luck out there to all you big babies.

Asking to publish this blog post

When I asked Tony Abbott for permission to publish the post you are reading right now while neglecting your responsibilities, he said “well look Alex, I don’t have a problem with it, you’ve alerted me to something I probably should have known about, so if you wanna do that, go for it”.

At the end of the call, he said “If there’s ever anything you think I need to know, give us a shout”.

Look you gotta hand it to him. That’s exactly the right way to respond when someone tells you about a security problem. Back at the beginning, I was kinda worried that he might misunderstand, and think I was trying to hack him or something, and that I’d be instantly slam dunked into jail. But nope, he was fine with it. And now you, a sweet and honourable blog post browser, get to learn the dangers of posting your boarding pass by the realest of real-world examples.

During the call, I was completely in shock from the lost in the bush thing killing me instantly, and so on. But afterwards, when I looked at the quotes, I realised he just wanted to understand what had happened to him, and more about how technology works. That’s the same kind of curiosity I had, that started this whole surrealist three-act drama. That… wasn’t really what I was expecting from Tony Abbott, but it’s what I found.

The point of this story isn’t to say “wow Tony Abbott got hacked, what a dummy23”. The point is that if someone famous can unknowingly post their boarding pass, anyone can.

Anyway that’s why I vote right wing now baybeeeee.


  • ☑️ figure out whether i have done a crime
  • ☑️ notify someone (The Government) that this happened
  • ☑️ get permission to publish this here blog post
  • ☑️ tell qantas about the security issue so they can fix it

Act 3: Closing credits

Do Not Get Arrested Challenge 2020

Wait no what the heck did I just read

Yeah look, reasonable.

tl; dr

Your boarding pass for a flight can sometimes be used to get your passport number. Don’t post your boarding pass or baggage receipt online, keep it as secret as your passport.

How it works

The Booking Reference on the boarding pass can be used to log in to the airline’s “Manage Booking” page, which sometimes contains the passport number, depending on the airline. I saw that Tony Abbott had posted a photo of his boarding pass on Instagram, and used it to get his passport details, phone number, and internal messages between Qantas flight staff about his flight booking.

Why did you do this?

One day, my friend who was also in “the group chat” said “I was thinking…. why didn’t I hack Tony Abbott?24 And I realised I guess it’s because you have more hubris”.

I was deeply complimented by this, but that’s not the point. The point is that you, too, can have hubris.

You know how they say to commit a crime (which once again I insist did not happen in my case) you need means, motive, and opportunity? Means is the ability to use right click > Inspect Element, motive is hubris, and opportunity is the dumb luck of having my friend message me the Instagram post.

I know, I’ve been saying “hubris” a lot. I mean “the willingness to risk breaking the rules”. Now hold up, don’t go outside and do crimes (unless it’s really funny). I’m not talking about breaking the law, I’m talking about rules we just follow without realising, like social rules and conventions.

Here’s a simple example. You’re at a sufficiently fancy restaurant, like I dunno, with white tablecloths or something? The waiter asks if you’d like “still or sparkling water?”

If you say “still”, it costs Eleven Dollars. If you say “sparkling”, it costs Eleven Dollars and tastes all gross and fizzy. But if you say “tap water, please”, you just get tap water, what you wanted in the first place?

When I first saw someone do this I was like “you can do that? I just thought you had to pay Eleven Dollars extra at fancy restaurants!”.

It’s not written down anywhere that you can ask for tap water. But when I found out you could do that, and like, nothing bad happens, I could suddenly do it too. Miss me with that Eleven Dollars fizzy water.

Basically, until you’ve broken the rules, the idea that the rules can be broken might just not occur to you. That’s how it felt for me, at least.

In conclusion, to be a hacker u ask for tap water.

FAQ

Why is it bad for someone else to have your passport number?

Hey crime gang, welcome back to Identity Fraud tips and tricks with Alex.

A passport is government-issued ID. It’s how you prove you’re you. The fact that you have your passport and I don’t is how you prevent me from convincing the government that I’m you and doing crimes in your name25.

Just having the information on the passport is not quite as powerful as a photo of the full physical passport, with your photo and everything.

With your passport number, someone could:

  • Book an international flight as you26.
  • Apply for anything that requires proof of identity documentation with the government, e.g. Working with children check
  • Activate a SIM card (and so get an internet connection that’s traceable to you, not them, hiding them from the government)
  • Create a fake physical passport from a template, with the correct passport number (which they then use to cross a border, open a bank account, or anything)
  • who knows what else, not me, bc i have never done a crime

Am I a big bozo, a big honking goose, if I post my boarding pass on Instagram?

Nah, it’s an easy mistake to make. How are you supposed to know not to? It’s not obvious that your boarding pass is secret, like a password. I think it’s on the airline to inform you on the risks you’re taking when you use their stuff.

But now that you’ve read this blog post, I regret to inform you that you will in fact be an entire sack of geese if you go and post your boarding pass now.

When did all of this happen?

  • March 22 - @hontonyabbott posts a picture of a boarding pass and baggage receipt. I log in to the website and get the passport number, phone number, and internal Qantas comments.
  • March 24 - I contact the Australian Signals Directorate (ASD) and let them know what happened.
  • March 27 - ASD tells me their investigation is complete, I send them a shakas gif, and they thank me for being a good citizen.
  • March 29 - I learn from lawyers that I have not done a crime 💯
  • March 30 - I contact Qantas and tell them about the vulnerability.
  • May 1 - Tony Abbott calls me, we chat about being dropped in the middle of the bush.
  • July 17 - Paper Mario: The Origami King is released for Nintendo Switch.
  • August 21 - Qantas emails me saying the security problem has been fixed.
  • September 13 - Various friends finish reviewing this post <3
  • September 15 - Tony Abbott and Qantas review this post.
  • Today - You read this post instead of letting it read you, nice job you.

I’m bored and tired

Let me answer that question,,, with a question.

Maybe try drinking some water you big goose. Honk honk, I’m so dehydrated lol. That’s you.

honk honk honk honl

Yeah, exactly.







I wrote this because I can’t go back to the Catholic church ever since they excommunicated me in 1633 for insisting the Earth revolves around the sun.

You can talk to me about it by sliding into my DMs in the tweet zone or, if you must, email.


  1. It’s one of those group chats where the name is constantly changing and you have no idea who “illegally downloaded plant farmer” is. 

  2. Except Kevin Rudd, but that was one time and we were kinda going through some stuff. 

  3. As for my friend’s nickname being “𝖍𝖔𝖌𝖌𝖊 𝖒𝖔𝖆𝖉𝖊”, I will not be providing context at this time. 

  4. On behalf of another friend, my many friends a consequence of my outstanding patriotic efforts towards continuing to avoid subversion of the Commonwealth of Australia. 

  5. To be clear, I didn’t want to go do some fun casual identity fraud, I just wanted to know if he had posted something secret, since uh, someone should probably do something about that if it were true (I insist, as they drag me away). 

  6. You can’t just have step 3. You have to earn it

  7. The last name is printed on the baggage receipt, too. So even if I didn’t know who posted the picture, everything you need to manage the booking is right there on the baggage receipt in a neat little package. 

  8. Which was actually “Anthony Abbott” #exposed 

  9. Harold Holt was another former Prime Minster and we… lost him? He disappeared while going for a swim one morning. This is not a joke. We named Harold Holt Memorial Swim Centre after him. I repeat, this is not a joke. 

  10. after years of practice, i now think entirely in lowercase 

  11. I’ve always wanted to say that. 

  12. I’m not really sure what my plan was. If I had done a crime, what was I gonna do, not report the passport number being publicly available? 

  13. Tony Abbott’s personal assistant later told me that the form was broken because the website was in the middle of some construction/upgrading. 

  14. Or it was, at least. It’s something else now, since otherwise it wouldn’t be a surprise 👀 

  15. One way to fix this problem would be to stop including the passenger’s PNR, passport number, or PNR remarks in the HTTP server’s response for “tripflow.redirect.html”. I’m also planning on publishing a blog post on a personal website describing this issue. If Qantas would prefer that I do not publicly disclose this issue until the issue has been fixed, just let me know. I’m happy to help any way I can, let me know if there’s any more information I can provide. This issue relates to ASD Assist issue OPS-69067 (author’s note: SO CLOSE) with the Australian Signals Directorate. 

  16. They kept not replying to me, which turned out to be because my emails were getting sent to Junk, presumably because of the illicit hacker keywords contained within. 

  17. These were the magic words my journalist friend told me, for which I will be forever grateful, and keep close to my heart. 

  18. Depending on the airline. 

  19. I didn’t record our call, I only took notes, so this isn’t a quote, oops. I might have written it down wrong, so nothing in this section has any journalistic integrity, oops again. 

  20. hi mum 

  21. “Nobody gives the baby a knife. You give them a spoon” - Mum, when I showed her this. 

  22. But like, I didn’t call him “Mum”, that would be weird, in startling contrast to the rest of this story. 

  23. There are many, many blog posts out there roasting Tony Abbott, if that’s what you’re looking for. 

  24. Which was a big misunderstanding, because I stress once again that I did not subvert any Commonwealths of anything, no matter who’s askin’ 

  25. Crimes that I once again stress I have not done. 

  26. But not actually fly on it without the physical passport.