Qantas App issues?

I could only see the details of flights in the next 24 hours. Domestic flights I could click Manage booking and view phone number and email address, full name and FF number. International bookings I could view the same as domestic plus APIS including Passport Number, Nationality and DOB.
Ah sorry I meant more not for immediately upcoming ones (so 24h where it starts prompting you for check-in) but say 2days from now or 2 weeks for the next upcoming trip.

That info is on the home page, but whether the page after that (which has all the details) is accessible too.
 
I don't understand why they don't just take the system down until they're sure it's fixed to avoid leaking any more data.

I'm sure customers can just check into their domestic flights at the airport....

Oh wait, they made the airport kiosks incapable of check-in.
 
So I thought I was unaffected - well at least not seeing other people’s stuff (who knows if anyone saw mine 🤷‍♂️) but just a few minutes ago, I was looking at a flight tomorrow the screen was showing a different destination but same state before the correct flight details flashed up. The alternative was more interesting but I suspect the hotel bookings wouldn’t match…
Post automatically merged:

I don't understand why they don't just take the system down until they're sure it's fixed to avoid leaking any more data.

I'm sure customers can just check into their domestic flights at the airport....

Oh wait, they made the airport kiosks incapable of check-in.
Leaving check in until the airport has its risks these days….
 
My mother is flying today and earlier today she received a 2fa message. I was helping her last night with her booking and thought it might have been to do with that. After seeing this now possibly her details showed up on someone elses app and they attempted something 😳
 
So I tried logging out and logging back in and I still got the same random person not me.

I even tried deleting the app and reinstalling and it still came back with the random person. They have a flight to Tokyo today and as a result I can see/download their boarding pass. Additionally by going onto manage booking and APIS I can see their name, email, phone number, date of birth and passport details. If that isn’t some form of data breach then I don’t know what is.

So it appears QF’s most recent update was incorrect:

UPDATE THREE – 12.10PM, 1 MAY 2024

We sincerely apologise to customers impacted by the issue with the Qantas app this morning, which has now been resolved.

Current investigations indicate that it was caused by a technology issue and may have been related to recent system changes.

At this stage, there is no indication of a cyber security incident.

The issue was isolated to the Qantas app with some frequent flyers able to see the travel information of other customers, including name, upcoming flight details, points balance and status.

No further personal or financial information was shared and customers would not have been able to transfer or use the Qantas Points of other frequent flyers. We’re not aware of any customers travelling with incorrect boarding passes.
 
While Qantas has admitted fault, I don’t think we should rule out this being an Amadeus issue which QF was an unfortunate victim of.

Did anyone on their QF app earlier today have people who are booked fully on foreign carriers (on their airline code) who also use the same Amadeus system as QF?
 
Makes one wonder what does their risk analysis and continuity planning say about that? What's the Plan B if online fails and pax start queuing to the desks?
To be fair, the website check-in (https://www.qantas.com/au/en/travel-info/check-in.html) should in theory work regardless of if they turn off the backend serving the app or not, so I'm honestly unsure why they're still letting people's info leak out like this.

Surely in an incident like this it's better to restrict access until you're 100% confident the issue is fixed?
 
Makes one wonder what does their risk analysis and continuity planning say about that? What's the Plan B if online fails and pax start queuing to the desks?
Considering how much of their business, especially when it comes to domestic travel is run on the app now. Turning off the app would have caused a total melt down of operations. QF backed themselves into a corner on this one. Which when they removed check in kiosks, counters and staff we all said this would be a problem.

To be fair, “when” everything works, app check in and q bag tag is the most seamless airport experience I have anywhere in the world. This doesn’t mean they should have dropped kiosk check in though.
 
Australia's highest-earning Velocity Frequent Flyer credit card: Offer expires: 21 Jan 2025
- Earn 60,000 bonus Velocity Points
- Get unlimited Virgin Australia Lounge access
- Enjoy a complimentary return Virgin Australia domestic flight each year

AFF Supporters can remove this and all advertisements

So it appears QF’s most recent update was incorrect:
Yep, I am more than happy to prove to Qantas this was the case as well.

I could definitely see
- persons full name
- persons status/points balance/sc credits
- boarding passes for todays flights
- manage booking page for said flight above
- contact details added to that booking (phone/email)
- APIS details for booking above including date of birth and passport details (because this is attached to the booking pnr)

It’s concerning because someone with malicious intents could have even cancelled bookings given they had enough info to do so.
 
It’s concerning because someone with malicious intents could have even cancelled bookings given they had enough info to do so.
Wouldn’t be surprised if it happened either as I’m sure some folks out there would have been wanting to test the limits/extent of the glitch.
 
UPDATE FOUR – 4:50PM, 1 MAY 2024

The Qantas app is currently stable and operating normally following an issue with its homepage today.

There were two periods today where some customers were shown the flight and booking details of other frequent flyers.

This didn’t include financial information, and no customers were able to transfer or use the Qantas Points of other frequent flyers.

We have processes in place to make sure that customers were not able to board flights using the boarding pass of another customer and there were no reports of this happening.

We sincerely apologise to all customers impacted and continue to monitor the Qantas app closely.
 
Beat me to it @RichardMEL.

This didn’t include financial information, and no customers were able to transfer or use the Qantas Points of other frequent flyers.
So the story changes again. Focusing on what wasn’t breached rather than the scary realities of what was.
We have processes in place to make sure that customers were not able to board flights using the boarding pass of another customer
Really? I was thinking about this… it’s surely possible to jump on a domestic flight using a boarding pass that isn’t yours? I mean... If two people try with the same pass, then that’s an issue, but if the actual passenger is late or a no show, then what’s to stop any other random from using their boarding pass and taking the flight?
 
My completely uneducated opinion/guess is that it's likely to be some sort of cache misconfiguration on Qantas servers (or them misconfiguring whatever cloud solution they're using in front)
  • It would explain why it's only one page - they probably want to cache the data used on the main page to reduce server load of people loading up the app
  • If only iOS users are experiencing this, then maybe only the iOS app has been updated to use the cache
  • I would hope that any actions that actually "write" anything and would otherwise require log-in don't actually work, but who knows.
    • Maybe the cached response includes an auth token to log you into MMB etc. in case you click one of those buttons?
    • Otherwise I'd generally expect every other API call to fail (e.g. transferring points)
    • If you're in another user's account and click manage booking, is that webview session actually logged into their QFF account (top right)?
  • It explains why most people are seeing screens of people with upcoming flights / boarding pass - if it was random, then you'd expect 99+% of QFF members to not have a currently active boarding pass
    • People with a flight soon are more likely to open the app, therefore their data is more likely to be cached
I've got experience in this domain and I think you've nailed it. Absolutely reeks of a misconfigured cache and explains why people with trips/boarding passes for today seem to be the ones who were disproportionately exposed as they would have used the app very recently and their data would be fresh in the cache. The QF media release alludes to the fact that it wouldn't have been possible to perform actions such as transferring points... so it doesn't sound like the API endpoints were allowing users to perform actions against other accounts (known as "horizontal privilege escalation") other than changing seats (because you only need a PNR + last name which was in the exposed data anyway) which further supports the theory. Great post 👍
 

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.

Currently Active Users

Back
Top