📆 16. 8. 2017 📂 boarding pass, barcode, password reset

Holiday time is in full swing. When you want to brag about your final destination, be careful of what you post on Facebook and Instagram. Leave your boarding passes (and other barcodes) for yourself (and get a shredder).

A trip to Hong Kong

I've known Petr Mára for few years now, he's a nice guy. He's a speaker, trainer, video blogger, and deploys iOS & macOS wherever possible. And also loves to travel. He and his wife went to Hong Kong to celebrate her birthday in May 2016 but Petr didn't say for how long they'd enjoy the city. And of course I had to know. It was this moment when I'd noticed that there's a booking reference YJVFKG and some other barcode on boarding passes posted by Petr on Instagram before their departure. You better not publish your booking reference or any other codes or barcodes from your boarding passes or any tickets in general.

British Airways boarding pass

Detail of the picture Petr Mára has posted

The flight from London takes almost 12 hours, so just for five days? To find Petr's departure from Hong Kong, it was enough to go to British Airways website and enter the booking reference in the right input field. After submitting the reference code I learned, among other things, that Petr had all the required data correctly filled in. No wonder, he was already in Hong Kong. And then there was this red button View or change details. You know, you see a red button, you have to click it. So I did.

British Airways login form

Airline login page

Petr's advance information is complete

All data is complete

The airlines wanted to verify that it was mePetr trying to change the details. I could enter his passport number but I didn't have it (yet), or date of birth. Petr has his birthday on his Facebook profile, it's published in Business Register or Trade Register of the Czech Republic, too. Your birthday is fairly public information, it's also reflected in tax id or VAT number of tradesmen and freelancers in here, it's not a secret.

Petr Mára's details

Petr's details

Finally, here's the passport number! And I can even change it. Cool, I can make Petr's wife birthday celebration in Hong Kong a bit longer. Just enter the passport number of an internationally wanted criminal or something.

I didn't change a thing and reported everything to Petr. I also apologized because I blocked him from accessing the booking page for 24 hours when I tried to guess his wife's birthday. I googled the date later, of course. Huge thanks to Petr for being nice to me! Guessing from his next picture of boarding passes published five months later, he learned a lesson that day – no reference numbers or barcodes fully visible.

More Facebook and Instagram photos

You'll find a lot of boarding pass pictures on both Facebook and Instagram. Some travelers try to be smart and blur their names and other details but leave the bar codes just like that. For example this young lady called Anna.

Boarding pass

Random barcode from Instagram

Anna's full name is Anna Ferenčáková, and she was travelling from Prague to Belgrade, Serbia in April 2017. You'll learn it after scanning the barcode from the photo. Barcodes can also be found on “forgotten” boarding passes in aircraft or other locations.

Barcode Scanner screenshot

Scanned bar code

With more and more people using “smart” devices, barcodes from boarding passes can also be found in photos of hands wearing watches. Below is a so called Aztec code from a boarding pass displayed on someone's iWatch. This code contains the same information (or similar) as the old school paper boarding pass. But with a smart watch, you don't need to print your boarding pass, all you have to do is dislocate your hand while trying to scan the code from the app at the gate. The future is here.

Aztec code in a smart watch app on a hand

Aztec code on a smart watch

This hand (and watch) belongs to Stephen Fenech, en route from San Francisco to New York. We know that because again, we have scanned the Aztec code. We can confirm that by reading this article about the pitfalls of using boarding passes with “smart” watch, which – with your wrist – just don't fit into some of the scanners. There's yet another important thing encoded in the Aztec code: a frequent-flyer number. Mr. Fenech's American Airlines frequent flyer account number is 4708760.

Barcode Scanner screenshot

Scanned Aztec code

Stealing an account

When searching for boarding passes on Facebook, I found a picture of an Aztec code taken by a man who wished to remain anonymous. He's well known in certain circles, has about 120,000 followers on Twitter, and founded something in Europe and in the United States too. The code in the picture contained his United Airlines frequent flyer number. This airline treats such numbers as a super secret access codes. If they print a frequent flyer number on an official correspondence they print only last 3 digits and the rest is masked, like a password. There was a full number in the Aztec code, of course, so I was thinking of using it to try and hijack that person's account. Because why not, right, it shouldn't be that easy.

So I went to the United Airlines website, selected Forgot password, and entered the name and the number from the scanned Aztec code. What followed were two security questions that were answered within a few seconds: “the first major city that you visited” was the city where this person was born, and “your favorite cold-weather activity” in the Alpine country was not golf. The system correctly recognized that me was, in fact, him and then I could set up a new password for his account. Update August 25: this happened in June 2016, United has since added an additional step in which they require the customer to click a link which was emailed to them to change their password. Seems that nowadays, I'd be able to just trigger such email.

United Airlines password reset page

Creating a new password

I did not set a new password, I wasn't there to cause anyone any trouble. I sent a message to that person, just like I sent one to Petr Mára. He had deleted the picture with the Aztec code from Facebook (it's still on Twitter, though), but he didn't believe I could hijack the account. He thought the website would send a new password to him.

After a brief explanation, he understood. Oh shit, you're right. You could have just changed the password. This is crazy. Yeah, it is. Just because he's uploaded his boarding pass I could steal his account. Maybe there might be a stored payment card for future purchases, or I could make him get stuck somewhere.

Just don't publish any pictures with codes

Users often publish data that they don't know what they mean. Because at first sight, it's not possible to see what's the data, or what the data is for. Someone might find the data useful for something. In the worst case, it's possible to steal an account. Just be careful with the data you upload or publish. When you're not exactly sure what data is the in the picture or screenshot you want to upload to Facebook, you can just hide the data with a black rectangle or any other favorite shape (just blurring them might not be enough), or maybe just don't publish the data at all. When creating answers for security questions you have to lie. You can “remember” your answers in a password manager, just like your passwords. And don't leave your boarding passes in the aircraft.

This article is based on my talk (in Czech) from a conference organized by CZ domain registry.


Recommended reading

Updates

25.8. Added a note about an additional step when resetting United password

Michal Špaček

I build web applications and I'm into web application security. I like to speak about secure development. My mission is to teach web developers how to build secure and fast web applications and why.

Public trainings

Come to my public trainings, everybody's welcome:

Introduction to PHP
(11. 12. 2017 Praha)

Classes and objects in PHP
(12. 12. 2017 Praha)

PHP application security
(13. 12. 2017 Praha)

Web application performance
(14. 12. 2017 Praha)

HTTPS for developers and admins
(prosinec 2017 Praha)

Česky