#must red : post a boarding pass on facebook, get your account stolen

A trip to Hong Kong

I've known Petr Mára for few years now, he's a nice guy. He's a speaker, trainer, video blogger, and deploys iOS & macOS wherever possible. And also loves to travel. He and his wife went to Hong Kong to celebrate her birthday in May 2016 but Petr didn't say for how long they'd enjoy the city. And of course I had to know. It was this moment when I'd noticed that there's a booking reference YJVFKGand some other barcode on boarding passes posted by Petr on Instagram before their departure. You better not publish your booking reference or any other codes or barcodes from your boarding passes or any tickets in general.
British Airways boarding passDetail of the picture Petr Mára has posted
The flight from London takes almost 12 hours, so just for five days? To find Petr's departure from Hong Kong, it was enough to go to British Airways website and enter the booking reference in the right input field. After submitting the reference code I learned, among other things, that Petr had all the required data correctly filled in. No wonder, he was already in Hong Kong. And then there was this red button View or change details. You know, you see a red button, you have to click it. So I did.
British Airways login formAirline login page
Petr's advance information is completeAll data is complete
The airlines wanted to verify that it was mePetr trying to change the details. I could enter his passport number but I didn't have it (yet), or date of birth. Petr has his birthday on his Facebook profile, it's published in Business Register or Trade Register of the Czech Republic, too. Your birthday is fairly public information, it's also reflected in tax id or VAT number of tradesmen and freelancers in here, it's not a secret.
Petr Mára's detailsPetr's details
Finally, here's the passport number! And I can even change it. Cool, I can make Petr's wife birthday celebration in Hong Kong a bit longer. Just enter the passport number of an internationally wanted criminal or something.
I didn't change a thing and reported everything to Petr. I also apologized because I blocked him from accessing the booking page for 24 hours when I tried to guess his wife's birthday. I googled the date later, of course. Huge thanks to Petr for being nice to me! Guessing from his next picture of boarding passes published five months later, he learned a lesson that day – no reference numbers or barcodes fully visible.

More Facebook and Instagram photos

You'll find a lot of boarding pass pictures on both Facebook and Instagram. Some travelers try to be smart and blur their names and other details but leave the bar codes just like that. For example this young lady called Anna.
Boarding passRandom barcode from Instagram
Anna's full name is Anna Ferenčáková, and she was travelling from Prague to Belgrade, Serbia in April 2017. You'll learn it after scanning the barcode from the photo. Barcodes can also be found on “forgotten” boarding passes in aircraft or other locations.
Barcode Scanner screenshotScanned bar code
With more and more people using “smart” devices, barcodes from boarding passes can also be found in photos of hands wearing watches. Below is a so called Aztec code from a boarding pass displayed on someone's iWatch. This code contains the same information (or similar) as the old school paper boarding pass. But with a smart watch, you don't need to print your boarding pass, all you have to do is dislocate your hand while trying to scan the code from the app at the gate. The future is here.
Aztec code in a smart watch app on a handAztec code on a smart watch
This hand (and watch) belongs to Stephen Fenech, en route from San Francisco to New York. We know that because again, we have scanned the Aztec code. We can confirm that by reading this article about the pitfalls of using boarding passes with “smart” watch, which – with your wrist – just don't fit into some of the scanners. There's yet another important thing encoded in the Aztec code: a frequent-flyer number. Mr. Fenech's American Airlines frequent flyer account number is 4708760.
Barcode Scanner screenshotScanned Aztec code

Stealing an account

When searching for boarding passes on Facebook, I found a picture of an Aztec code taken by a man who wished to remain anonymous. He's well known in certain circles, has about 120,000 followers on Twitter, and founded something in Europe and in the United States too. The code in the picture contained his United Airlines frequent flyer number. This airline treats such numbers as a super secret access codes. If they print a frequent flyer number on an official correspondence they print only last 3 digits and the rest is masked, like a password. There was a full number in the Aztec code, of course, so I was thinking of using it to try and hijack that person's account. Because why not, right, it shouldn't be that easy.
So I went to the United Airlines website, selected Forgot password, and entered the name and the number from the scanned Aztec code. What followed were two security questions that were answered within a few seconds: “the first major city that you visited” was the city where this person was born, and “your favorite cold-weather activity” in the Alpine country was not golf. The system correctly recognized that me was, in fact, him and then I could set up a new password for his account. Update August 25: this happened in June 2016, United has since added an additional step in which they require the customer to click a link which was emailed to them to change their password. Seems that nowadays, I'd be able to just trigger such email.
United Airlines password reset pageCreating a new password
I did not set a new password, I wasn't there to cause anyone any trouble. I sent a message to that person, just like I sent one to Petr Mára. He had deleted the picture with the Aztec code from Facebook (it's still on Twitter, though), but he didn't believe I could hijack the account. He thought the website would send a new password to him.
After a brief explanation, he understood. Oh shit, you're right. You could have just changed the password. This is crazy. Yeah, it is. Just because he's uploaded his boarding pass I could steal his account. Maybe there might be a stored payment card for future purchases, or I could make him get stuck somewhere.

Just don't publish any pictures with codes

Users often publish data that they don't know what they mean. Because at first sight, it's not possible to see what's the data, or what the data is for. Someone might find the data useful for something. In the worst case, it's possible to steal an account. Just be careful with the data you upload or publish. When you're not exactly sure what data is the in the picture or screenshot you want to upload to Facebook, you can just hide the data with a black rectangle or any other favorite shape (just blurring them might not be enough), or maybe just don't publish the data at all. When creating answers for security questions you have to lie. You can “remember” your answers in a password manager, just like your passwords. And don't leave your boarding passes in the aircraft.

Comments

Post a Comment

Popular Hacking news

send whatsapp messages can be deleted, but they don't really go away

Image
Encrypted messaging platform WhatsApp recently added the ability to delete sent messages, but the team at Android Jefe (article is in Spanish) has discovered that they don't quite disappear completely. A deleted text still exists on the recipient's device in the form of a notification, Android Jefe found, and with the proper software it can be read hours later. As an individual bug it might not sound too concerning, but the Android notification log doesn't exist in a vacuum. If an Android device has already been compromised by malware, the notification log could be a way for anyone to read WhatsApp messages, deleted or not, and that's a huge security problem for an app that prides itself on being private and secure. Android notifications and you Every time a notification comes to an Android device it gets stored in a log that records everything from that Android session (it clears on reboot). If you can access the notification log you can see a list of every
Read more

Bill Gates tells me how he hacked his school's computer to meet girls

Image
B ill Gates needs no introduction whatsoever. After all, he co-found Microsoft and is currently the richest person in the world. In 2000, he also launched the Bill and Melinda Gates Foundation that has donated more than $34 billion to the projects aimed at social welfare.  Gates used his first computer at a private school in Seattle. There, he wrote his first computer program aged just 13. It was the same Lakeside School where Gates met Paul Allen and became friends over a shared love of computers. Apart from being enthusiastic about computers, they used to hack into computers from time to time. You must have heard the famous story that tells how Gates hacked into his school computer to meet girls. In a recent interview with BBC, Bill Gates sheds more light over this story and tells how he enrolled himself into the classes where he was the only boy. He and fellow Microsoft co-founder Paul Allen hacked and make changes into school’s scheduling software to up Gates’ chances of
Read more