Qantas App issues?

Point Ventures said:
I could only see the details of flights in the next 24 hours. Domestic flights I could click Manage booking and view phone number and email address, full name and FF number. International bookings I could view the same as domestic plus APIS including Passport Number, Nationality and DOB.
Click to expand...
Ah sorry I meant more not for immediately upcoming ones (so 24h where it starts prompting you for check-in) but say 2days from now or 2 weeks for the next upcoming trip.

That info is on the home page, but whether the page after that (which has all the details) is accessible too.
 
Struggling to Redeem Your Frequent Flyer Points?
The Frequent Flyer Concierge team takes the hard work out of finding reward seat availability. Using their expert knowledge and specialised tools, they'll help you book a great trip that maximises the value for your points.

AFF Supporters can remove this and all advertisements

I don't understand why they don't just take the system down until they're sure it's fixed to avoid leaking any more data.

I'm sure customers can just check into their domestic flights at the airport....

Oh wait, they made the airport kiosks incapable of check-in.
 
So I thought I was unaffected - well at least not seeing other people’s stuff (who knows if anyone saw mine 🤷‍♂️) but just a few minutes ago, I was looking at a flight tomorrow the screen was showing a different destination but same state before the correct flight details flashed up. The alternative was more interesting but I suspect the hotel bookings wouldn’t match…
Post automatically merged:

encryptededdy said:
I don't understand why they don't just take the system down until they're sure it's fixed to avoid leaking any more data.

I'm sure customers can just check into their domestic flights at the airport....

Oh wait, they made the airport kiosks incapable of check-in.
Click to expand...
Leaving check in until the airport has its risks these days….

Bumped off oversold flight as a WP

Never happened to me before so curious to see what the deal is, as a WP recently my family and I were bumped off a flight from QFF Mel to Syd as flight was oversold. When I pushed back given my status the customer service agents did their best. They admitted they had not seen that happen before...
www.australianfrequentflyer.com.au www.australianfrequentflyer.com.au
 
My mother is flying today and earlier today she received a 2fa message. I was helping her last night with her booking and thought it might have been to do with that. After seeing this now possibly her details showed up on someone elses app and they attempted something 😳
 
henrus said:
So I tried logging out and logging back in and I still got the same random person not me.

I even tried deleting the app and reinstalling and it still came back with the random person. They have a flight to Tokyo today and as a result I can see/download their boarding pass. Additionally by going onto manage booking and APIS I can see their name, email, phone number, date of birth and passport details. If that isn’t some form of data breach then I don’t know what is.
Click to expand...

So it appears QF’s most recent update was incorrect:

UPDATE THREE – 12.10PM, 1 MAY 2024

We sincerely apologise to customers impacted by the issue with the Qantas app this morning, which has now been resolved.

Current investigations indicate that it was caused by a technology issue and may have been related to recent system changes.

At this stage, there is no indication of a cyber security incident.

The issue was isolated to the Qantas app with some frequent flyers able to see the travel information of other customers, including name, upcoming flight details, points balance and status.

No further personal or financial information was shared and customers would not have been able to transfer or use the Qantas Points of other frequent flyers. We’re not aware of any customers travelling with incorrect boarding passes.
Click to expand...
 
While Qantas has admitted fault, I don’t think we should rule out this being an Amadeus issue which QF was an unfortunate victim of.

Did anyone on their QF app earlier today have people who are booked fully on foreign carriers (on their airline code) who also use the same Amadeus system as QF?
 
tdimdad said:
Makes one wonder what does their risk analysis and continuity planning say about that? What's the Plan B if online fails and pax start queuing to the desks?
Click to expand...
To be fair, the website check-in (https://www.qantas.com/au/en/travel-info/check-in.html) should in theory work regardless of if they turn off the backend serving the app or not, so I'm honestly unsure why they're still letting people's info leak out like this.

Surely in an incident like this it's better to restrict access until you're 100% confident the issue is fixed?
 
tdimdad said:
Makes one wonder what does their risk analysis and continuity planning say about that? What's the Plan B if online fails and pax start queuing to the desks?
Click to expand...
Considering how much of their business, especially when it comes to domestic travel is run on the app now. Turning off the app would have caused a total melt down of operations. QF backed themselves into a corner on this one. Which when they removed check in kiosks, counters and staff we all said this would be a problem.

To be fair, “when” everything works, app check in and q bag tag is the most seamless airport experience I have anywhere in the world. This doesn’t mean they should have dropped kiosk check in though.
 
Spacetravel said:
So it appears QF’s most recent update was incorrect:
Click to expand...
Yep, I am more than happy to prove to Qantas this was the case as well.

I could definitely see
- persons full name
- persons status/points balance/sc credits
- boarding passes for todays flights
- manage booking page for said flight above
- contact details added to that booking (phone/email)
- APIS details for booking above including date of birth and passport details (because this is attached to the booking pnr)

It’s concerning because someone with malicious intents could have even cancelled bookings given they had enough info to do so.
 
Sponsored Post

Struggling to use your Frequent Flyer Points?

Frequent Flyer Concierge takes the hard work out of finding award availability and redeeming your frequent flyer or credit card points for flights.

Using their expert knowledge and specialised tools, the Frequent Flyer Concierge team at Frequent Flyer Concierge will help you book a great trip that maximises the value for your points.

henrus said:
It’s concerning because someone with malicious intents could have even cancelled bookings given they had enough info to do so.
Click to expand...
Wouldn’t be surprised if it happened either as I’m sure some folks out there would have been wanting to test the limits/extent of the glitch.
 
UPDATE FOUR – 4:50PM, 1 MAY 2024

The Qantas app is currently stable and operating normally following an issue with its homepage today.

There were two periods today where some customers were shown the flight and booking details of other frequent flyers.

This didn’t include financial information, and no customers were able to transfer or use the Qantas Points of other frequent flyers.

We have processes in place to make sure that customers were not able to board flights using the boarding pass of another customer and there were no reports of this happening.

We sincerely apologise to all customers impacted and continue to monitor the Qantas app closely.
 
Beat me to it @RichardMEL.

RichardMEL said:
This didn’t include financial information, and no customers were able to transfer or use the Qantas Points of other frequent flyers.
Click to expand...
So the story changes again. Focusing on what wasn’t breached rather than the scary realities of what was.
RichardMEL said:
We have processes in place to make sure that customers were not able to board flights using the boarding pass of another customer
Click to expand...
Really? I was thinking about this… it’s surely possible to jump on a domestic flight using a boarding pass that isn’t yours? I mean... If two people try with the same pass, then that’s an issue, but if the actual passenger is late or a no show, then what’s to stop any other random from using their boarding pass and taking the flight?
 
encryptededdy said:
My completely uneducated opinion/guess is that it's likely to be some sort of cache misconfiguration on Qantas servers (or them misconfiguring whatever cloud solution they're using in front)
  • It would explain why it's only one page - they probably want to cache the data used on the main page to reduce server load of people loading up the app
  • If only iOS users are experiencing this, then maybe only the iOS app has been updated to use the cache
  • I would hope that any actions that actually "write" anything and would otherwise require log-in don't actually work, but who knows.
    • Maybe the cached response includes an auth token to log you into MMB etc. in case you click one of those buttons?
    • Otherwise I'd generally expect every other API call to fail (e.g. transferring points)
    • If you're in another user's account and click manage booking, is that webview session actually logged into their QFF account (top right)?
  • It explains why most people are seeing screens of people with upcoming flights / boarding pass - if it was random, then you'd expect 99+% of QFF members to not have a currently active boarding pass
    • People with a flight soon are more likely to open the app, therefore their data is more likely to be cached
Click to expand...
I've got experience in this domain and I think you've nailed it. Absolutely reeks of a misconfigured cache and explains why people with trips/boarding passes for today seem to be the ones who were disproportionately exposed as they would have used the app very recently and their data would be fresh in the cache. The QF media release alludes to the fact that it wouldn't have been possible to perform actions such as transferring points... so it doesn't sound like the API endpoints were allowing users to perform actions against other accounts (known as "horizontal privilege escalation") other than changing seats (because you only need a PNR + last name which was in the exposed data anyway) which further supports the theory. Great post 👍
 

Enhance your AFF viewing experience!!

From just $6 we'll remove all advertisements so that you can enjoy a cleaner and uninterupted viewing experience.

And you'll be supporting us so that we can continue to provide this valuable resource :)


Sample AFF with no advertisements? More..

Recent Posts

Staff online

  • NM
    NM
    Enthusiast

Currently Active Users

... and 30 more.
Total: 564 (members: 80, guests: 484)
Back
Top