Your Boarding Pass Is a Credential. Stop Posting It.
It is March 2020. Tony Abbott, the former Prime Minister of Australia, has just landed in Tokyo after a Qantas flight from Sydney. He posts a photo of his boarding pass on Instagram, thanking the crew for a great flight. It is a perfectly ordinary social media post.
In a group chat somewhere in Australia, a security researcher named Alex Hope is tagged. A friend has posted the photo as a challenge: how much of a problem is this, really?
Hope opens a barcode reader. He scans the image. He reads two values from the result: a last name and a six-character alphanumeric code. He types them both into the Qantas booking portal.
He is now inside Tony Abbott's travel profile.
The website's main page shows limited data. But Hope opens the browser developer tools and inspects the raw HTML source that the server sent back. Hidden inside the page, visible only in the underlying code, is a set of fields the front-end interface chose not to display. Abbott's private phone number. Staff notations about his VIP preferences. And, most significantly, his passport number.
Hope contacted the Australian government immediately and disclosed everything through responsible channels. Qantas fixed the issue. Abbott was issued a new passport. The incident made international headlines as a watershed moment for aviation data security.
What made it extraordinary was not the sophistication of the attack. Hope used no hacking tools. He ran no exploits. He used a barcode reader and a web browser.
The vulnerability was the boarding pass itself.
I found three on Instagram this week
Before explaining the architecture behind what Hope discovered, I want to show you the same thing happening in practice. Below are three boarding pass images representative of what turns up on public social media profiles every single day. Click any one to run a BCBP decoder against it.
The decoder above reflects the exact data structure mandated by the International Air Transport Association's BCBP standard. Every piece of information it surfaces is encoded in plaintext inside the barcode. No decryption required. No special access. Just a barcode reader and a two-field login form.
The third pass, the Qantas business class booking, demonstrates the most severe variant: the booking portal's graphical interface withholds the passport number from the visible page, but the underlying API transmits it to the browser anyway. The developer tools reveal everything the front-end decided to hide.
What the barcode actually encodes
The boarding pass looks like a receipt. It is not a receipt. It is a machine-readable credential token governed by IATA Resolution 792, the Bar Coded Boarding Pass standard, which became mandatory for all member airlines in 2008 as part of the organization's Simplify the Business initiative.
The standard mandates 2D barcodes for all boarding passes: PDF417 for paper passes, and Aztec or QR codes for mobile. Unlike a 1D barcode, which is simply a pointer to a database record, a 2D barcode can store a substantial payload of structured data directly in the image. This was an engineering necessity. Gate agents need to verify a pass even when connectivity to the backend system is unavailable. So the pass carries its own data.
The data structure is organized into mandatory fields, conditional fields, and airline-specific fields. The result is a universal template that any barcode reader, including free smartphone apps, can parse instantly.
| Field | What It Contains |
|---|---|
| Passenger Name | Full legal name in LAST/FIRST format, matching the passport |
| PNR Code | Six-character alphanumeric booking reference |
| Operating Carrier | IATA airline designator code |
| Flight and Date | Flight number plus Julian calendar date of travel |
| Compartment Code | Single-letter class identifier (Y = Economy, J = Business, F = First) |
| Seat Assignment | Assigned seat number |
| Check-In Sequence | The passenger's check-in order number |
| Frequent Flyer Number | Full, unredacted loyalty program account number |
| FF Tier | Elite status code for the loyalty program |
| Baggage Info | License plate codes for checked bags |
| Security Data | A tamper-prevention signature for the pass itself |
The security data field is the source of the most pervasive and dangerous misunderstanding about boarding passes. Passengers and even some technology managers assume the personal data inside the barcode is encrypted. It is not. The security field is a digital signature designed to prevent someone from forging a ticket or changing their seat class. It does nothing to protect the passenger's name, their booking reference, or their loyalty account number. All of that is plaintext.
The security signature in a BCBP barcode prevents tampering with the pass. It does not encrypt the personal data. A boarding pass image posted to Instagram hands anyone who sees it the name, PNR, and frequent flyer number in completely readable form.
The authentication crisis hiding in plain sight
The severity of a boarding pass exposure is not about the data in isolation. It is about what that data unlocks in the backend systems of the global aviation network.
The industry runs on a small group of Global Distribution Systems, primarily Amadeus, Sabre, and Travelport. These platforms handle roughly ninety percent of all flight reservations worldwide. They were originally designed in the 1970s and 1980s as closed mainframe systems accessed only from terminals inside airline offices or approved travel agencies. External intrusion was not a concern because external access was not possible.
The internet changed everything around those systems without changing the systems themselves. Airlines built consumer-facing web portals and mobile apps on top of sixty-year-old mainframe backends. The result is a structural mismatch: modern interfaces sitting on top of authentication models that predate the concept of a public-facing credential.
The primary way a passenger accesses their booking is with two pieces of information: their last name and their PNR code. That is the complete authentication credential. No password. No email verification. No second factor.
Both of those values are printed in plaintext on the face of every boarding pass and encoded unencrypted in the barcode.
Entropy: PNR Code
Less than 28.5 bits
A six-character alphanumeric string. Fewer unique combinations than a five-character password. Considered universally insecure in any other financial context.
Generation Method
Often sequential
Two of the three major GDS platforms have historically assigned PNR codes sequentially rather than using secure random generation, allowing attackers to extrapolate adjacent codes.
Brute-Force Protection
Frequently absent
Independent audits have found multiple airline portals without rate limiting or CAPTCHA protection, allowing automated enumeration of valid PNRs at scale.
Israeli security researcher Noam Rotem demonstrated this in a detailed investigation of the Amadeus booking system. By manipulating URL parameters and exploiting the absence of brute-force protections on an airline's customer portal, Rotem's automated script could iterate through PNR codes and harvest passenger data at scale. Just the booking ID and last name provided complete account access. Amadeus and the airlines involved implemented targeted mitigations following the disclosure, but because individual airlines build custom front-ends over the shared GDS backend, protection is applied inconsistently across the industry.
What one boarding pass actually enables
From the moment a threat actor extracts a PNR, last name, and frequent flyer number from a posted boarding pass, four distinct attack chains become available.
First order: itinerary manipulation
This requires nothing more than the PNR and last name. The attacker logs into the airline's manage-booking portal and immediately has administrative control over the passenger's current and future reservations.
They can cancel flights. They can reassign seats. They can modify the contact email on the booking, ensuring that all subsequent notifications, including cancellation confirmations, route to the attacker while the passenger receives nothing. The victim boards nothing and understands nothing until they arrive at a departure gate to find no reservation on file.
Second order: loyalty account takeover
Boarding passes encode the full, unredacted frequent flyer number even on carriers that visually mask it on the printed pass. Airlines like United partially obscure the number on the paper document with asterisks, creating a false sense of protection. The barcode does not mask anything.
With the complete loyalty number in hand, an attacker initiates a password reset. They already know the passenger's full name, travel dates, and destinations. Supplementary information for security questions (hometown, pet names, school attended) is often visible on the same social media profile where the boarding pass was posted. Once inside, they drain the account of its accumulated points. A Platinum-level frequent flyer account can carry the equivalent of thousands of dollars in flight value, and miles sell easily on dark-web secondary markets.
Third order: passport and identity data
For international flights, airlines are required by border agencies worldwide to collect Advance Passenger Information (API). This data attaches to the PNR. It includes the passenger's full passport number, nationality, date of birth, and passport expiry date.
When an attacker authenticates to the booking portal with a valid PNR and last name, this API data is frequently accessible in the booking record. As the Abbott incident demonstrated, even when the front-end interface omits it from the visible page, the backend API often transmits the full data to the browser regardless. Developer tools expose everything that the interface chose not to render.
The combination of a full legal name, date of birth, physical address, and valid passport number is the complete kit required for identity fraud. Criminals use it to open credit accounts, apply for loans, manufacture counterfeit documents, or sell the consolidated record on dark-web marketplaces where verified identity packages command a premium.
Fourth order: the home-empty problem
A boarding pass is not just a travel document. It is a time-stamped announcement that the holder will not be at their primary residence.
The PNR gives an attacker access to the full itinerary, including the return flight date. That establishes a precise window of absence. Cross-referencing the traveler's social media account with public property records, voter registration databases, or geolocation metadata from previous posts typically yields a home address. The attacker now knows where the target lives and exactly when no one will be there.
Publishing a boarding pass outbound and posting a return photo from the same trip gives criminals a verified, publicly sourced timeline of your home's vacancy. The solution is not to stop sharing travel content. The solution is delayed posting: share anything you want, but only after you are home.
The Abbott case: what actually happened
Alex Hope's demonstration in March 2020 had an important technical layer beyond what most coverage described.
The Qantas portal, after Hope authenticated with Abbott's PNR and last name, did not display the passport number on the main booking screen. A casual observer would have concluded that the data was safe. Hope did not stop there. He opened the browser developer tools, navigated to the Network tab, and inspected the raw API response that the server had already sent to the browser before the front-end JavaScript decided what to show on screen.
Inside that response, in complete plaintext, was Abbott's full passport number.
This is the front-end obfuscation trap: hiding sensitive data from the rendered interface while transmitting it in the underlying API call. The server does not know or care whether the user is a normal browser or a script calling the endpoint directly. The data is in transit either way.
Hope disclosed responsibly. The Australian government was notified first, then Qantas. The airline remediated the API response. Abbott received a new passport. But the incident established an empirical fact: the operational security of a sitting head of state could be dismantled in under sixty seconds with a barcode reader and a browser. The average traveler, with no security detail and no government response team, has no comparable protection.
The breach economy behind the vulnerability
Individual boarding pass exposures are not the only problem. The same data that a single photo exposes is the same data that organized cybercriminal groups spend significant resources attempting to extract from airline infrastructure at scale.
| Breach | Year | Scope | Primary Vector |
|---|---|---|---|
| British Airways | 2018 | 429,612 individuals; 244,000 payment cards | Magecart JavaScript injection via third-party supplier |
| Eurail B.V. | 2023/2024 | 308,777 passengers; 1.3 TB stolen | System intrusion; data sold on Telegram |
| Vietnam Airlines | 2020-2025 | Millions over five years | Third-party CRM vulnerability |
| Sabre SynXis | 2017 | Hundreds of thousands of hotel reservations | Unauthorized access to reservation system |
The 2018 British Airways breach netted a 20 million pound fine from the UK Information Commissioner's Office under GDPR. The Eurail breach required tens of thousands of affected travelers to cancel and reissue their passports at personal expense, after their data appeared for sale on encrypted Telegram channels.
These macro-level incidents are the industrialized version of what a solo attacker does with a single Instagram post. When you post an unredacted boarding pass, you are voluntarily providing what these groups spend significant effort trying to steal from corporate servers.
Where the industry is heading
The TSA has been aggressively deploying Credential Authentication Technology (CAT) across major US airports. First-generation CAT units eliminate the boarding pass entirely at the security checkpoint: a passenger inserts their physical ID, the terminal queries the Secure Flight database directly, and the system confirms eligibility without any barcode ever being presented.
Second-generation CAT-2 units add a 1:1 facial match against the presented ID photo, detecting fraudulent documents and thwarting identity impersonation. The live photos are purged immediately after matching and are not stored in any database.
| Technology | Mechanism | Boarding Pass Required | Privacy Model |
|---|---|---|---|
| CAT (Gen 1) | Physical ID scanned, Secure Flight queried | No | PII deleted post-verification |
| CAT-2 (Gen 2) | Physical ID plus live facial match | No | Photo purged after 1:1 match |
| Digital ID (Apple/Google Wallet) | NFC or dynamic QR code from secure enclave | No | Only minimum required data transmitted |
Digital IDs in Apple Wallet, Google Wallet, and Samsung Wallet represent the most comprehensive fix for the individual: a state-issued credential stored in a hardware security enclave on the user's device, requiring biometric authorization for every presentation, and transmitting only the minimum required verification data via encrypted NFC. A screenshot of this credential cannot be decoded by a remote attacker. It requires the physical device and the user's own biometric.
CAT and Digital ID technology secures the airport security perimeter. It does not secure the airline's backend database. Passengers still receive standard barcoded boarding passes for gate access. The GDS authentication problem remains completely unresolved at the infrastructure level.
What you should actually do
The gap between where the industry is and where it needs to be is substantial. Until airlines mandate encrypted credentials and multi-factor authentication for PNR access, the practical burden of protection falls entirely on the individual traveler.
Never post an unedited boarding pass image. The instinct to share travel excitement is understandable. The risk is not hypothetical, it is documented, industrialized, and ongoing. If you want to capture the moment, cover the barcode and the PNR with your hand, a physical object, or a solid color swatch in your editing app before the photo is taken.
Never rely on digital filters. Pixelation, blurring, and emoji overlays applied after the fact are reversible. Attackers maintain dedicated tooling for recovering data from superficially obscured images. The only safe approach is physical occlusion before the photo is taken.
Post after you return. The home-empty threat is trivially neutralized by one behavioral change. Post your travel content as throwbacks once you are safely home. The photos have exactly the same social value to your audience and zero burglary value to anyone watching.
Destroy physical passes at home. Boarding passes discarded in airport trash, left in airplane seat pockets, or dropped in hotel rooms are recoverable. Treat them like receipts containing your credit card number. Shred them when you return home.
Monitor your frequent flyer accounts. Set up login notifications if your carrier offers them. Check your mileage balance after any trip you publicized. An unexpected drop or an unauthorized login is your first indication that a barcode scan preceded an account takeover.
Change your PNR immediately after travel. Contact your airline and request a new booking reference if your trip was publicized. Most airlines will reassign the code on request. This is an imperfect measure for past exposure but limits the forward attack surface.
The boarding pass has looked the same since the shift from magnetic stripe to barcode in 2010. Its exterior has not changed. What has changed is the attack surface around it, the mobile cameras, the instant-share infrastructure, the OSINT tooling, and the dark-web markets that monetize extracted data. The document stayed static while the threat landscape around it evolved by a decade.
Understanding what is inside the barcode is the first step. Not posting it is the second. The gap between those two steps is smaller than most people think.
If this was worth sharing, send it to someone on 𝕏 or LinkedIn. Got a question or a thought? Drop me a message , I read everything. If this was worth your time, .