Stamp Hunt app icon Stamp Hunt
← All guides Guide

What your boarding pass barcode reveals about you — and why we only read the route

That airport photo with your boarding pass in hand gives away more than the trip. Here's what fits inside the barcode — and what an honest app should do with it.

Stamp Hunt Brasil scan screen highlighting the option to scan a boarding pass barcode

There’s a social media classic that survives every era: the airport photo with the boarding pass in hand, holiday-bound. The trouble is that the little rectangle doesn’t just show your destination — the barcode printed on it tells anyone who can read it considerably more about you than the caption does.

What fits inside a barcode

The format is standardised worldwide by IATA, the airlines’ international association, under a standard called BCBP (Bar Coded Boarding Pass, defined in Resolution 792). It’s a two-dimensional code — PDF417 on paper; QR, Aztec or Datamatrix on your phone — carrying a structured data message: passenger name, booking reference, route, carrier, seat and, when there is one, your frequent flyer number.

None of this is a state secret — it’s literally what the gate scanner needs to know. The catch is that anyone with a barcode decoder (there are plenty, free, on the web) reads exactly the same thing.

The experiment that became a lesson

In 2015, security journalist Brian Krebs published a case that became the reference: a reader took the photo of a boarding pass a friend had posted on Facebook, decoded the barcode, and came out the other side with the friend’s name, frequent flyer number and booking reference. With those on the airline’s website, he could see the friend’s future flights, change his seat — and even cancel flights. Combined with publicly available social media information (mother’s maiden name, for instance), he could even reset the PIN on the mileage account.

Krebs’s conclusion holds up a decade later, not least because the standard is still the same: a boarding pass is a document, not a photo prop. Don’t post the picture, don’t leave the stub in the seat pocket, and bin it the way you’d bin a bank statement.

”Right, but your app scans exactly that code”

Fair. Stamp Hunt Brasil uses the camera to scan the boarding pass barcode — that’s how a trip becomes a Rare or Legendary stamp in the collection. The difference is in what happens after the read: the app recognises the origin and destination — the route, which is what proves which state you were in — and that’s the part that matters. Your collection and your evidence stay on your device; there’s no server of ours receiving your data, no account to create, no public feed. The international Stamp Hunt works on the same logic, with passes imported from Apple Wallet or flights synced from Flighty and Tripsy.

Stamp Hunt proof options screen in light mode, including boarding pass and flight import Stamp Hunt proof options screen in dark mode, including boarding pass and flight import

It’s a simple rule we apply to every app in the house: read the minimum necessary and never touch a server we control. GalleryCheckup looks through your photo library for duplicates without a single photo leaving your iPhone; Receitorio keeps your recipes without a social network; TigelaBoa tracks your pet’s meals without an account; Artisan View runs a maker’s production without analytics. No funny business, as we like to say.

Borders are going ever more digital — the ink stamp is already on its way out in Europe — and records of your trips will exist either way. The only choice left is where they live: on somebody else’s server, or in your pocket.

Sources