• ℹ️ Heads up...

    This is a popular topic that is fast moving Guest - before posting, please ensure that you check out the first post in the topic for a quick reminder of guidelines, and importantly a summary of the known facts and information so far. Thanks.

Ride Access Pass and Disabled Access - 2026 Discussion

I would also like to point out, the amount of data in these QR codes probably isn't that much (depending on how the app is set up, it is probably some sort of ID number, or name only recognisable to the app) this could allow them to have a high data recovery rate (a feature built into qr codes) meaning even some serious tampering won't have an impact (the qr codes with a picture in the middle isn't a standard it is litterally people just covering up the QR codes and making the data recovery do the work)
 
Bowser said:
What would you be tricking them into? The app wouldn’t recognise the code, a few people would gather at the queue and complain to the staff member, who would be forced to let them on without a slot until someone replaced it.

The signs are quite inconspicuous too (at Legoland). They are close to the QR codes for translating the safety boards which seem to have survived so far and not fooled customers into handing over bank details to my knowledge!
Click to expand...
If we operate under the logical assumption that everyone will scan the code using the dedicated scanner inside the RAP App, in that specific scenario, you're right. The app will have validation logic (such as checking if the QR string matches a specific URL schema like merlin-rap://check-in/nemesis). If it scans a rogue sticker linking to a phishing site, the app will simply reject it as an invalid token.

In the real world, however, user behaviour is rarely logical.

Many guests will simply point their standard iPhone or Android camera app at the sign because that is how they have been trained to interact with QR codes since the pandemic. If a bored teenager, a demographic with an infinite capacity for causing low level chaos, places a sticker over the official code, the native camera will happily follow that link to wherever it leads.

This might just be a Rickroll (best case scenario), or an image of a biological nature that parents would prefer their children not to see. Worst case, it's a Quishing attack: a fake login page designed to harvest email addresses and passwords from unsuspecting tourists expecting to see a queue time.

It's depressingly easy to visualise the inevitable viral stunt. Some enterprising YouTuber prints a sticker linking to their own profile, slaps it over the Nemesis Reborn check in code, and uploads a ten minute video titled "I HACKED THE ALTON TOWERS APP?! 😱 (SECURITY CALLED!)".

In reality, of course, they 've just vandalised a piece of plastic with a sticker they printed at home. But to the confused casual visitor trying to check in for their ride, who suddenly finds themselves redirected to a "Like and Subscribe" page rather than the virtual queue, the disruption is real enough.
It relies on the public's inherent trust that a code on an official looking sign does what it is supposed to do.

The app itself is secure because it validates the input. The vulnerability lies in the physical world and the fallibility of the user.

Mitigating this is a constant battle of whack a mole for the ops team. Using "Deep Links" or "Universal Links" helps (where the phone OS automatically opens the specific app when it recognises the URL), but you can't patch a sticker with software. You just have to hope the staff are checking the signs.
 
Last edited:
GooseOnTheLoose said:
If we operate under the logical assumption that everyone will scan the code using the dedicated scanner inside the RAP App, in that specific scenario, you're right. The app will have validation logic (such as checking if the QR string matches a specific URL schema like merlin-rap://check-in/nemesis). If it scans a rogue sticker linking to a phishing site, the app will simply reject it as an invalid token.

In the real world, however, user behaviour is rarely logical.

Many guests will simply point their standard iPhone or Android camera app at the sign because that is how they have been trained to interact with QR codes since the pandemic. If a bored teenager, a demographic with an infinite capacity for causing low level chaos, places a sticker over the official code, the native camera will happily follow that link to wherever it leads.

This might just be a Rickroll (best case scenario), or an image of a biological nature that parents would prefer their children not to see. Worst case, it's a Quishing attack: a fake login page designed to harvest email addresses and passwords from unsuspecting tourists expecting to see a queue time.

It's depressingly easy to visualise the inevitable viral stunt. Some enterprising YouTuber prints a sticker linking to their own profile, slaps it over the Nemesis Reborn check in code, and uploads a ten minute video titled "I HACKED THE ALTON TOWERS APP?! 😱 (SECURITY CALLED!)".

In reality, of course, they 've just vandalised a piece of plastic with a sticker they printed at home. But to the confused casual visitor trying to check in for their ride, who suddenly finds themselves redirected to a "Like and Subscribe" page rather than the virtual queue, the disruption is real enough.
It relies on the public's inherent trust that a code on an official looking sign does what it is supposed to do.

The app itself is secure because it validates the input. The vulnerability lies in the physical world and the fallibility of the user.

Mitigating this is a constant battle of whack a mole for the ops team. Using "Deep Links" or "Universal Links" helps (where the phone OS automatically opens the specific app when it recognises the URL), but you can't patch a sticker with software. You just have to hope the staff are checking the signs.
Click to expand...
Sadly they aren't that clever to do deep links, it's literally a park code (ATR TPR) ride id (number) and the date for the end of the year.
 
Ash said:
Right on queue (pun intended)

www.bbc.co.uk

Sutton Coldfield man 'frustrated' over Alton Towers pass backtrack

He says change is needed after a plan to tighten access to a disability queuing system was paused.
www.bbc.co.uk www.bbc.co.uk
Click to expand...
We can agree There's high demand but playing disability top trumps doesn't really help anyone, just empowers merlin to push every bit worse for everyone.
there's a fair bit they can still do to manage on the day demand which helps with overall rap experience.
 
Using Oblivion's queue as an argument is strange given it's pretty much the only fully accessible queues (bar the steps for Fastrack).

But yeah its going to descend in disability top trumps. Didn't see that coming.
 
Benzin said:
Using Oblivion's queue as an argument is strange given it's pretty much the only fully accessible queues (bar the steps for Fastrack).
Click to expand...
I think the accessibility of Oblivion's queue would depend very much on your access needs.

I can't see it meeting the needs of wheelchair users, for example, as it may be quite wide, but is also quite steep and uneven in places.

There's a specific gradient a slope needs to be under to be considered accessible under building regs, and I can't see Oblivion's queue meeting that criteria.
 
imanautie said:
We can agree There's high demand but playing disability top trumps doesn't really help anyone, just empowers merlin to push every bit worse for everyone.
there's a fair bit they can still do to manage on the day demand which helps with overall rap experience.
Click to expand...

To be fair to the man he didn’t seem to be, he actually said he understands some people with neurodiversity need the support but his perception is not everyone who gets RAP for neurodiversity needs RAP just as he said not everyone with a minor physical disability needs RAP.

I thought he came across as very reasonable and provided the other side of this argument well.
 
Squiggs said:
I think the accessibility of Oblivion's queue would depend very much on your access needs.

I can't see it meeting the needs of wheelchair users, for example, as it may be quite wide, but is also quite steep and uneven in places.

There's a specific gradient a slope needs to be under to be considered accessible under building regs, and I can't see Oblivion's queue meeting that criteria.
Click to expand...
But don't wheelchair users access Oblivion from the ride exit? Which apart from the slope up to the arcade building is pretty level?
 
Dave said:
To be fair to the man he didn’t seem to be, he actually said he understands some people with neurodiversity need the support but his perception is not everyone who gets RAP for neurodiversity needs RAP just as he said not everyone with a minor physical disability needs RAP.

I thought he came across as very reasonable and provided the other side of this argument well.
Click to expand...
I agree, he does raise some good points and understands that some neurodiverse people do genuinely need it.

Not surprised people are dismissing the article as "disability trumps", though... I sent it to my best friend, who has four autistic kids, and she called it just that and won't talk to me about it.
 
Squiggs said:
I think the accessibility of Oblivion's queue would depend very much on your access needs.

I can't see it meeting the needs of wheelchair users, for example, as it may be quite wide, but is also quite steep and uneven in places.

There's a specific gradient a slope needs to be under to be considered accessible under building regs, and I can't see Oblivion's queue meeting that criteria.
Click to expand...

I'd say the slope to get out of X-Sector definitely isn't accessible. Especially for the person pushing a manual chair.
 
You must log in or register to reply here.
Top