Ride Access Pass and Disabled Access - 2026 Discussion

[flyingguitar]

I would also like to point out, the amount of data in these QR codes probably isn't that much (depending on how the app is set up, it is probably some sort of ID number, or name only recognisable to the app) this could allow them to have a high data recovery rate (a feature built into qr codes) meaning even some serious tampering won't have an impact (the qr codes with a picture in the middle isn't a standard it is litterally people just covering up the QR codes and making the data recovery do the work)

 

[GooseOnTheLoose]

What would you be tricking them into? The app wouldn’t recognise the code, a few people would gather at the queue and complain to the staff member, who would be forced to let them on without a slot until someone replaced it.

The signs are quite inconspicuous too (at Legoland). They are close to the QR codes for translating the safety boards which seem to have survived so far and not fooled customers into handing over bank details to my knowledge!

If we operate under the logical assumption that everyone will scan the code using the dedicated scanner inside the RAP App, in that specific scenario, you're right. The app will have validation logic (such as checking if the QR string matches a specific URL schema like merlin-rap://check-in/nemesis). If it scans a rogue sticker linking to a phishing site, the app will simply reject it as an invalid token.

In the real world, however, user behaviour is rarely logical.

Many guests will simply point their standard iPhone or Android camera app at the sign because that is how they have been trained to interact with QR codes since the pandemic. If a bored teenager, a demographic with an infinite capacity for causing low level chaos, places a sticker over the official code, the native camera will happily follow that link to wherever it leads.

This might just be a Rickroll (best case scenario), or an image of a biological nature that parents would prefer their children not to see. Worst case, it's a Quishing attack: a fake login page designed to harvest email addresses and passwords from unsuspecting tourists expecting to see a queue time.

It's depressingly easy to visualise the inevitable viral stunt. Some enterprising YouTuber prints a sticker linking to their own profile, slaps it over the Nemesis Reborn check in code, and uploads a ten minute video titled "I HACKED THE ALTON TOWERS APP?! (SECURITY CALLED!)".

In reality, of course, they 've just vandalised a piece of plastic with a sticker they printed at home. But to the confused casual visitor trying to check in for their ride, who suddenly finds themselves redirected to a "Like and Subscribe" page rather than the virtual queue, the disruption is real enough.
It relies on the public's inherent trust that a code on an official looking sign does what it is supposed to do.

The app itself is secure because it validates the input. The vulnerability lies in the physical world and the fallibility of the user.

Mitigating this is a constant battle of whack a mole for the ops team. Using "Deep Links" or "Universal Links" helps (where the phone OS automatically opens the specific app when it recognises the URL), but you can't patch a sticker with software. You just have to hope the staff are checking the signs.

 

[imanautie]

If we operate under the logical assumption that everyone will scan the code using the dedicated scanner inside the RAP App, in that specific scenario, you're right. The app will have validation logic (such as checking if the QR string matches a specific URL schema like merlin-rap://check-in/nemesis). If it scans a rogue sticker linking to a phishing site, the app will simply reject it as an invalid token.

In the real world, however, user behaviour is rarely logical.

Many guests will simply point their standard iPhone or Android camera app at the sign because that is how they have been trained to interact with QR codes since the pandemic. If a bored teenager, a demographic with an infinite capacity for causing low level chaos, places a sticker over the official code, the native camera will happily follow that link to wherever it leads.

This might just be a Rickroll (best case scenario), or an image of a biological nature that parents would prefer their children not to see. Worst case, it's a Quishing attack: a fake login page designed to harvest email addresses and passwords from unsuspecting tourists expecting to see a queue time.

It's depressingly easy to visualise the inevitable viral stunt. Some enterprising YouTuber prints a sticker linking to their own profile, slaps it over the Nemesis Reborn check in code, and uploads a ten minute video titled "I HACKED THE ALTON TOWERS APP?! (SECURITY CALLED!)".

In reality, of course, they 've just vandalised a piece of plastic with a sticker they printed at home. But to the confused casual visitor trying to check in for their ride, who suddenly finds themselves redirected to a "Like and Subscribe" page rather than the virtual queue, the disruption is real enough.
It relies on the public's inherent trust that a code on an official looking sign does what it is supposed to do.

The app itself is secure because it validates the input. The vulnerability lies in the physical world and the fallibility of the user.

Mitigating this is a constant battle of whack a mole for the ops team. Using "Deep Links" or "Universal Links" helps (where the phone OS automatically opens the specific app when it recognises the URL), but you can't patch a sticker with software. You just have to hope the staff are checking the signs.

Sadly they aren't that clever to do deep links, it's literally a park code (ATR TPR) ride id (number) and the date for the end of the year.