Fake Boarding Pass App Gets You Into Airline Lounges

People have used fake elite status cards to skip security lines and a girl once cleared Turkish immigration with her unicorn toy’s fake passport.

British Airways used to promote their mobile boarding passes with Osama Bin Laden’s name on it. And you used to be able to generate your own boarding pass from a website, which some poeple used to go through security when not flying (a very bad idea — better to actually buy a refundable ticket, clear security, and then refund the ticket if you must have gate access).

Now there’s an app to generate fake boarding passes that will get you into airline lounges.


American Airlines Admirals Club Agents, Paris

And while it does seem to work in airline lounges where agents scan a boarding pass rather than validate your details themselves, the point of the project is actually

…intended to point out that even now, a decade later, the boarding pass security issue persists, and in some ways is easier than ever to exploit thanks to airports’ use of automated QR-code readers.

“Literally, it takes 10 seconds to create a boarding pass” on a smartphone, says Jaroszewski. “And it doesn’t even have to look legit because you’re not in contact with any humans.”

The app is even more ideal at lounges where you scan your own boarding pass for entry.

Here’s a video of the app’s creator gaining access to the July 15 Heroes of Democracy Lounge in Istanbul (in fact, the video was made prior to the lounge’s renaming, so it was Turkish’s CIP lounge then):

(HT: Paul H.)

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »

Comments

  1. I was talking to a lounge dragon who told me he’s confiscated lounge cards with mismatched credentials. I would not want to be the first person at a manned counter using that app after they fix the security hole.

  2. @DaninMCI That is a great point. I wonder if use of this app could be considered shoplifting? It certainly is in principle. I once read about a guy who was arrested for shoplifting after having been discovered swapping price labels at a retail store, so maybe in some municipalities the definition would be broad enough to include the theft of services.

  3. “The app is even more ideal at lounges where you scan your own boarding pass for entry.”

    This statement alone tells me you are endorsing a product that enables, in every sense of the word, theft. Would you promote a mobile mechanism to disable grocery store sensors to allow you to walk out without paying for things — just to “point out” anti-shoplifting measures still don’t work?

    That’s the same rationalization computer virus developers use — they do it “because they can” regardless of the underlying ethics of their actions, or the people they directly or indirectly harm.

    You should be ashamed of yourself and seriously consider deleting this post.

  4. Yes, it’s theft, a crime.Beyond that , I’d think there are some countries where security personnel might wonder whether your intent in preparing a fake boarding pass goes beyond free sandwiches and drinks. Could make for some interesting conversations with guys who don’t smile a lot and aren’t trained to be gentle.

  5. @RAY read what i say is “the point of the project” and then reconsider your comment.

    “more ideal” refers to where it would work best, which is without human involvement at all.

  6. ooo… so should i say…. i have a project to hack banks to prove that it is vulnerable to trust bank security. and say it “would be ideal to hack a smaller, less secure bank to test it out.”

    LOL

  7. Nice to be in the know. You would think the airlines would know how to prevent this. By getting the word out, hopefully people will realize that the airlines are fully aware of the loophole in the validation.
    One major caution to mention is that Free Apps are known to be laced with malware, spyware, etc.
    Think camera, location tracking, website tracking etc. All completely legal when the users consents to the apps terms and requests access to those phone functions.

  8. Buying a fully refundable ticket to gain access to a lounge is against some airlines’ terms of use, and likely not a good idea – at least with those airlines.

    “…creating bookings to hold or block seats for the purpose of obtaining lower fares, AAdvantage award inventory, or upgrades that may not otherwise be available, =or to gain access to airport facilities,=, or to circumvent any of American Airlines’ fare rules or policies, is prohibited without prior authorization from American Airlines.”

    AA can choose to not refund a ticket used for lounge access.

  9. This is another tool that can be used to discover security weaknesses in airports and hopefully can be improved, as well as airport security awareness program for staff. I’ve been in lounges with just my Priority Pass card and the receptionist doesn’t even check an ID or boarding pass to ensure it’s indeed “ME”…

Leave a Reply

Your email address will not be published. Required fields are marked *