- Joined
- Nov 12, 2012
- Posts
- 27,972
- Qantas
- Platinum
- Virgin
- Platinum
- Star Alliance
- Silver
Ah sorry I meant more not for immediately upcoming ones (so 24h where it starts prompting you for check-in) but say 2days from now or 2 weeks for the next upcoming trip.I could only see the details of flights in the next 24 hours. Domestic flights I could click Manage booking and view phone number and email address, full name and FF number. International bookings I could view the same as domestic plus APIS including Passport Number, Nationality and DOB.
Leaving check in until the airport has its risks these days….I don't understand why they don't just take the system down until they're sure it's fixed to avoid leaking any more data.
I'm sure customers can just check into their domestic flights at the airport....
Oh wait, they made the airport kiosks incapable of check-in.
You almost had me thereI don't understand why they don't just take the system down until they're sure it's fixed to avoid leaking any more data.
I'm sure customers can just check into their domestic flights at the airport....
Oh wait, they made the airport kiosks incapable of check-in.
legit was thinking this. im still seeing me, but who knows if someone else is seeing me too!So 75 SC or 20k points offer incoming?
So I tried logging out and logging back in and I still got the same random person not me.
I even tried deleting the app and reinstalling and it still came back with the random person. They have a flight to Tokyo today and as a result I can see/download their boarding pass. Additionally by going onto manage booking and APIS I can see their name, email, phone number, date of birth and passport details. If that isn’t some form of data breach then I don’t know what is.
UPDATE THREE – 12.10PM, 1 MAY 2024
We sincerely apologise to customers impacted by the issue with the Qantas app this morning, which has now been resolved.
Current investigations indicate that it was caused by a technology issue and may have been related to recent system changes.
At this stage, there is no indication of a cyber security incident.
The issue was isolated to the Qantas app with some frequent flyers able to see the travel information of other customers, including name, upcoming flight details, points balance and status.
No further personal or financial information was shared and customers would not have been able to transfer or use the Qantas Points of other frequent flyers. We’re not aware of any customers travelling with incorrect boarding passes.
There is one thing we do know. Qantas will never tell us personally.Agreed. I wish I hadn’t opened the app this morning (before knowing of these issues). I didn’t see anyone else's details but how can we be sure our data was not accessed.
Makes one wonder what does their risk analysis and continuity planning say about that? What's the Plan B if online fails and pax start queuing to the desks?Oh wait, they made the airport kiosks incapable of check-in.
To be fair, the website check-in (https://www.qantas.com/au/en/travel-info/check-in.html) should in theory work regardless of if they turn off the backend serving the app or not, so I'm honestly unsure why they're still letting people's info leak out like this.Makes one wonder what does their risk analysis and continuity planning say about that? What's the Plan B if online fails and pax start queuing to the desks?
First of all, sounds like you’re using the wrong app? Secondly, imagine the blow to poor Gracie‘s self-esteem when she learns that you’re “swiping left”Droid for me with 4.8.1 and all I got was me despite constabtly swiping left trying to find a Gracie..
Considering how much of their business, especially when it comes to domestic travel is run on the app now. Turning off the app would have caused a total melt down of operations. QF backed themselves into a corner on this one. Which when they removed check in kiosks, counters and staff we all said this would be a problem.Makes one wonder what does their risk analysis and continuity planning say about that? What's the Plan B if online fails and pax start queuing to the desks?
AFF Supporters can remove this and all advertisements
Yep, I am more than happy to prove to Qantas this was the case as well.So it appears QF’s most recent update was incorrect:
Wouldn’t be surprised if it happened either as I’m sure some folks out there would have been wanting to test the limits/extent of the glitch.It’s concerning because someone with malicious intents could have even cancelled bookings given they had enough info to do so.
So the story changes again. Focusing on what wasn’t breached rather than the scary realities of what was.This didn’t include financial information, and no customers were able to transfer or use the Qantas Points of other frequent flyers.
Really? I was thinking about this… it’s surely possible to jump on a domestic flight using a boarding pass that isn’t yours? I mean... If two people try with the same pass, then that’s an issue, but if the actual passenger is late or a no show, then what’s to stop any other random from using their boarding pass and taking the flight?We have processes in place to make sure that customers were not able to board flights using the boarding pass of another customer
I've got experience in this domain and I think you've nailed it. Absolutely reeks of a misconfigured cache and explains why people with trips/boarding passes for today seem to be the ones who were disproportionately exposed as they would have used the app very recently and their data would be fresh in the cache. The QF media release alludes to the fact that it wouldn't have been possible to perform actions such as transferring points... so it doesn't sound like the API endpoints were allowing users to perform actions against other accounts (known as "horizontal privilege escalation") other than changing seats (because you only need a PNR + last name which was in the exposed data anyway) which further supports the theory. Great postMy completely uneducated opinion/guess is that it's likely to be some sort of cache misconfiguration on Qantas servers (or them misconfiguring whatever cloud solution they're using in front)
- It would explain why it's only one page - they probably want to cache the data used on the main page to reduce server load of people loading up the app
- If only iOS users are experiencing this, then maybe only the iOS app has been updated to use the cache
- I would hope that any actions that actually "write" anything and would otherwise require log-in don't actually work, but who knows.
- Maybe the cached response includes an auth token to log you into MMB etc. in case you click one of those buttons?
- Otherwise I'd generally expect every other API call to fail (e.g. transferring points)
- If you're in another user's account and click manage booking, is that webview session actually logged into their QFF account (top right)?
- It explains why most people are seeing screens of people with upcoming flights / boarding pass - if it was random, then you'd expect 99+% of QFF members to not have a currently active boarding pass
- People with a flight soon are more likely to open the app, therefore their data is more likely to be cached