- Post a boarding pass on Facebook, get your account stolen
- Michal š paček
- The Nuggets translation Project
- Permanent link to this article: github.com/xitu/gold-m…
- Translator: lampui
- Proofreader: Tina92, Zhangqippp
The holidays are in full swing, and when you want to brag about where you’ve been, watch what you post on Facebook or Instagram. Keep your boarding pass (or any other ticket with a barcode) (or use a shredder to dispose of it).
A trip to Hong Kong
I’ve known Petr Mara for several years. He’s a friendly guy, speaker, trainer, video host, and IOS & macOS enthusiast. He also loves to travel, and in May 2016, he took his wife to Hong Kong to celebrate her birthday, but Petr didn’t say how long the trip would be, but of course, I eventually found out! Before Petr flew, he sent a news feed with a boarding pass with the order number YJVFKG and some bar codes, and that’s when I knew how long he would be staying in Hong Kong. As a general rule, it’s best not to share any boarding passes or tickets with order numbers, QR codes or bar codes printed on them.
Petr Mara sent this post
The flight leaves from London and it takes about 12 hours, so they’re only staying for five days? Just go to the British Airways website and type in his order number in the box on the right, and you’ll find Petr’s airport in Hong Kong. After submitting the order number, I found that, among other things, Petr had filled in all the required data. Not surprisingly, he’s already in Hong Kong. Then there is a red button for View or Change Details below. You know, you see a red button, you hit it, so I hit it.
Airline login page
The required data is complete
The airline wants to verify that it was ME, Petr, who changed the information. I can enter his passport number or date of birth, but I don’t know (yet). Petr has his birthday on his Facebook page, which is also publicly available on the Business Register or Trade Register in the Czech Republic. Everyone’s birthday is an open secret. A person’s birthday can also be found on the VAT tax ID of traders and freelancers, so it is no secret.
Details of Petr
Finally, I found his passport number! I can even modify it! Cool! I can make Pter and his wife celebrate their birthday in Hong Kong a little longer. Just type in the passport number of an international wanted criminal or something.
I didn’t change any information and told Petr about it. I apologized to him for blocking him from his booking page for the next 24 hours by trying to guess his wife’s birthday. Then, of course, I googled his wife’s birthday. Thank you so much Petr for being so friendly to me after knowing this! Five months later, Petr had learned a lesson about order numbers and bar codes, according to his next boarding pass.
More Facebook and Instagram photos
You can find plenty of photos of boarding passes on Facebook or Instagram. Some travelers try to be smart by coding their names and other information, but some of the codes are naked, like this woman Anna.
Random bar codes in Instagram
Anna, whose full name is Anna Ferenč akova, flew from Prague to The Serbian capital, Belgrade, in April 2017. You scan the bar code on that photo! Bar codes can also be found on boarding passes “left” on airplanes or elsewhere.
Bar code information after scanning
As more and more people use “smart” devices, the bar codes on boarding passes can also be found in smartwatches. Here’s a so-called Aztec QR code that displays your boarding pass on someone’s iWatch. The QR code contains the same (or similar) information as a traditional paper boarding pass, but on a smartwatch, you don’t need to print your boarding pass. All you have to do is reach out and scan it as you cross the border. The future is here.
Aztec QR code on the smartwatch
The hand (and watch) belonged to Stephen Fenech, who was photographed en route from San Francisco to New York. Once again, we know this information because we scanned the Aztec QR code. We can read this article about the pitfalls of using boarding passes on “smart” watches, your wrist — just not suitable for some scanners. The Aztec QR code also has an important piece of information: a number that indicates that the passenger is a frequent flier. The number for Mr. Fenech is 4708760.
Scan the Aztec QR code
Handing over
When searching for a boarding pass on Facebook, I found a photo with an Aztec QR code, taken by an anonymous man. He is well known in certain circles, with roughly 120,000 Twitter followers and some background in Europe and the United States. The QR code contains his frequent flyer number for United Airlines. The airline treats the numbers as if they were a high-level secret access code. If they needed to print the numbers into an official document, they would only show the last three digits and hide the rest, like a password. The frequent flier number that came up in the Aztec QR code is intact, of course, so I’m thinking of using it and hacking into that guy’s account. Why isn’t it dark, right? It can’t be that easy.
So I went to the United website, chose to forget my password, entered my name and number from Aztec’s QR code, and spent a few seconds answering two security questions: “First major city you visited?” “And” What’s your favorite winter sport? The answer to the first question is where the person was born. The answer to the second question in an alpine country is certainly not golf. The system correctly identifies me as the true owner of the account, and I can then set a new password for his account. Update, August 25, 2016: This happened in June 2016, and United airlines has added an additional protection. They ask users to click on a link to change their password that is sent to their email, so it looks like I can send that email now.
Create a new password
I didn’t set a new password and I didn’t want to cause anyone trouble. I sent a message to that person, just like I sent a message to Petr Mara. He has removed the photo, which contained Aztec’s QR code, from Facebook (but still on Twitter). But he didn’t believe I could hijack his account. He thought the United Airlines website would send him a new password.
After a brief explanation, he understood! Oh shit, you’re right! You can change the password! This is madness! Yes, it is. Just because he uploaded his boarding pass, I can steal his number! Maybe future deals will have savings cards, or MAYBE I can get him stuck somewhere.
Do not publish any images of the code
Users often inadvertently disclose data that they don’t see as valuable, because at first glance it’s impossible to see what information is hidden or useful. Some people might find it useful in some places. Worst-case scenario, it’s still possible. So be careful what data you upload or make public. When you want to upload a photo to Facebook but aren’t sure what data is in the photo or screenshot, you can cover it up with a black rectangle or any other shape you like (blurring may not be enough), or don’t post it at all. Learn to lie when creating security certification questions. You can use password management tools to “remember” your answers just like you remember your password, and don’t leave your boarding pass on the plane.
This article is based on my experienceCZ domain registry 的speech(in Czech Republic).
Recommended reading
- What’s on the bar code of the boarding pass? A lot. By Brian Krebs.
- Where in the world is Carmen Sandiego? “, a 33C3 presentation by Karsten Nohl and Nemanja Nikodijevic
update
8.25 Additional action is required when resetting the United Airlines password
Michal Š pa č ek
I build Web applications and care about Web application security, and I’m happy to share security developments. My job is to teach Web developers how to build secure and fast Web applications and why.
The Nuggets Translation Project is a community that translates quality Internet technical articles from English sharing articles on nuggets. The content covers Android, iOS, React, front-end, back-end, product, design and other fields. If you want to see more high-quality translation, please continue to pay attention to the Project, official Weibo, Zhihu column.