Qantas App issues?

While Qantas has admitted fault, I don’t think we should rule out this being an Amadeus issue which QF was an unfortunate victim of.

Did anyone on their QF app earlier today have people who are booked fully on foreign carriers (on their airline code) who also use the same Amadeus system as QF?
Even anyone with the most rose tinted specs would have difficulty pinning this on anyone but QF.

The only unfortunate victims here are the QF pax who had their personal info available to millions.
 
It’s concerning because someone with malicious intents could have even cancelled bookings given they had enough info to do so.
1714547114049.png
I don't understand why you need to log-in to change a booking, but don't need to log-in to cancel.
(actually I do understand, in case the change needs to bill you points, but still... surely it'd be more secure to require it for cancellation too)

I've got experience in this domain and I think you've nailed it. Absolutely reeks of a misconfigured cache and explains why people with trips/boarding passes for today seem to be the ones who were disproportionately exposed as they would have used the app very recently and their data would be fresh in the cache. The QF media release alludes to the fact that it wouldn't have been possible to perform actions such as transferring points... so it doesn't sound like the API endpoints were allowing users to perform actions against other accounts (known as "horizontal privilege escalation") other than changing seats (because you only need a PNR + last name which was in the exposed data anyway) which further supports the theory. Great post 👍
Yeah, I have a few more thoughts on this;
  • When you click "Manage Booking" in the app, in my experience it opens an authenticated (as in, logged into your FF account) webview with the manage booking screen. I certainly hope whatever it needs to authenticate this is not returned in this initial request. I don't think it would be, but I can also see someone designing the API so that a URL with auth data is one of the fields for a given flight
    • Interestingly right now it says "Something went wrong" when trying to do that, so maybe they patched it
  • So far I've seen no reports of Android users experiencing this issue. I'd have to assume that the Android app doesn't hit the cache. Therefore, I wonder if any Android users are affected? As in, if the app doesn't use the cache, are their details being written to the cache? Hopefully not.
  • All the media attention has probably got users logging in to check for themselves. This might've actually made the situation worse as it may have resulted in their data being added to the cache. The act of logging in today might've increased the chance of your data being leaked to someone else today.
Post automatically merged:

While Qantas has admitted fault, I don’t think we should rule out this being an Amadeus issue which QF was an unfortunate victim of.
I think this is unlikely since it's the Qantas Loyalty system that's serving up this data. Maybe if the issue was limited to Manage My Booking etc., then it could be Amadeus etc.
 
While Qantas has admitted fault, I don’t think we should rule out this being an Amadeus issue which QF was an unfortunate victim of.

Did anyone on their QF app earlier today have people who are booked fully on foreign carriers (on their airline code) who also use the same Amadeus system as QF?

OK, now I know its all a big leg-pull !! 🤣 🤣 Well played!
 
Yeah, I have a few more thoughts on this;
  • When you click "Manage Booking" in the app, in my experience it opens an authenticated (as in, logged into your FF account) webview with the manage booking screen. I certainly hope whatever it needs to authenticate this is not returned in this initial request. I don't think it would be, but I can also see someone designing the API so that a URL with auth data is one of the fields for a given flight
    • Interestingly right now it says "Something went wrong" when trying to do that, so maybe they patched it
I just tried "Manage Booking" in the app and it directed me to a "semi" authenticated view of MMB. It didn't log me into my QFF account but it showed me the same view that I would see if I just use the PNR/last name to manage my booking rather than logging in. If this was possible to do for other people's bookings today, then there is more data than just "name, upcoming flight details, points balance and status" that QF mentioned in their media release that would have been exposed to others. The semi-authenticated MMB view also shows e-mail, phone number, APIS details including DOB and passport number (if completed) and also allows you to cancel/change flights in some instances.

Does anyone know if it was just the "Home" tab that was impacted? Or was there compromised data also showing up under the "My QFF" tab as well? Some of the sections under the "My QFF" tab do actually throw you out to fully authenticated My Account pages on the QFF website which would have been even more worrying if this was the case.
  • So far I've seen no reports of Android users experiencing this issue. I'd have to assume that the Android app doesn't hit the cache. Therefore, I wonder if any Android users are affected? As in, if the app doesn't use the cache, are their details being written to the cache? Hopefully not.
This is an interesting one - as this kind of issue is driven from the backend side of things and you'd think both Android and iOS versions of the QF app would be sharing a common backend thus both impacted but may not be the case.
  • All the media attention has probably got users logging in to check for themselves. This might've actually made the situation worse as it may have resulted in their data being added to the cache. The act of logging in today might've increased the chance of your data being leaked to someone else today.
100% - if this is a caching issue the flood of users logging into check would have exasperated the issue and put those users at risk as well.
I think this is unlikely since it's the Qantas Loyalty system that's serving up this data. Maybe if the issue was limited to Manage My Booking etc., then it could be Amadeus etc.
Also agree with this. QF have their own backend for their app - its not developed by Amadeus like MMB is.
 
Last edited:
Really? I was thinking about this… it’s surely possible to jump on a domestic flight using a boarding pass that isn’t yours? I mean... If two people try with the same pass, then that’s an issue, but if the actual passenger is late or a no show, then what’s to stop any other random from using their boarding pass and taking the flight?
I think they just mean they have the normal "how we are supposed to check domestic passengers" routine that unofficially means someone else can be flying in your name even if its illegal.

View attachment 383052
I don't understand why you need to log-in to change a booking, but don't need to log-in to cancel.
(actually I do understand, in case the change needs to bill you points, but still... surely it'd be more secure to require it for cancellation too)


Yeah, I have a few more thoughts on this;
  • When you click "Manage Booking" in the app, in my experience it opens an authenticated (as in, logged into your FF account) webview with the manage booking screen. I certainly hope whatever it needs to authenticate this is not returned in this initial request. I don't think it would be, but I can also see someone designing the API so that a URL with auth data is one of the fields for a given flight
    • Interestingly right now it says "Something went wrong" when trying to do that, so maybe they patched it
I'd be surprised if you need a full authentication for MMB. I mean you can alter anyones MMB with just PNR and surname online from the MMB page. They never needed more than that.
Post automatically merged:

If there WAS an underlying Amadeus issue many airlines would be affected probably.
Almost no chance. This is in-app and not even everyone. Clearly something was pushed to one version of the app overnight.
 
Inagree I do not think Amadeus was involved.

Ch7 news report included a note about scammers setting up fake QF support sites/IDs to try and get info. Sigh.
 
I don't understand why you need to log-in to change a booking, but don't need to log-in to cancel.
(actually I do understand, in case the change needs to bill you points, but still... surely it'd be more secure to require it for cancellation too)
I just tested this further with a couple of my bookings. It seems like bookings made with points you can cancel without being logged in but you need to log in to make changes. However for cash bookings, MMB will let you change and cancel the flight even if not logged in.
 
Given we saw this exact same issue less than 2 years ago (reported on AFF but resolved in a shorter time period), it seems the work experience kids have failed to install safeguards to prevent this recurring.

Im on android and only saw my own details but if mine had been breached to others and any points are stolen or trips changed or cancelled they will be hearing from my lawyer.
 
Interesting to note the subtle change of QF’s language from update three to update four.

In 3 they listed the info disclosed to other users with this qualifier: “No further personal or financial information was shared.”

But by update 4 it was this: “some customers were shown the flight and booking details of other frequent flyers.

This didn’t include financial information, and no customers were able to transfer or use the Qantas Points of other frequent flyers.”


In update 4 they fail to rule out that any other data was exposed.

By not ruling it out, QF is effectively conceding that other data, including identity information and passport details has been compromised.
 
Australia's highest-earning Velocity Frequent Flyer credit card: Offer expires: 21 Jan 2025
- Earn 60,000 bonus Velocity Points
- Get unlimited Virgin Australia Lounge access
- Enjoy a complimentary return Virgin Australia domestic flight each year

AFF Supporters can remove this and all advertisements

Well now that they hopefully have the app fixed the intern can return to his primary duties and do my DSC credit so that I am back to Gold - and kindly readmit me to Points Club after being a member for just four weeks!
 
I know I've said this before, but I just can't believe whatever change did this wasn't immediately revertable or at least able to be taken offline. It was obviously a backend change that caused this, and surely the old endpoint was still available (used by Android?). Even worse they reported it being fixed when it wasn't.

Mistakes happen (even if this should've never hit production), but it's baffling how it took seemingly at least 6 hours to stop people's information being leaked.

I can only assume the decision to not take it offline until a fix is verified is because of some sort of misguided desire to keep this low key or downplay the severity.

Well, I'm sure they'll find out that keeping the app online leaking people's information is going to hurt them a lot more than just having it offline for a day.
 
While Qantas has admitted fault, I don’t think we should rule out this being an Amadeus issue which QF was an unfortunate victim of.

Did anyone on their QF app earlier today have people who are booked fully on foreign carriers (on their airline code) who also use the same Amadeus system as QF?

While we're at it. We probably shouldn't rule out this issue being caused by aliens either. Perhaps @RooFlyer this was caused by your mates at QR still sore about being denied extra capacity into Australia? ;)
 
I know I've said this before, but I just can't believe whatever change did this wasn't immediately revertable or at least able to be taken offline. It was obviously a backend change that caused this, and surely the old endpoint was still available (used by Android?). Even worse they reported it being fixed when it wasn't.
It can take some time for something like that to be acknowledged before some are empowered to take action.
 
This is in-app and not even everyone. Clearly something was pushed to one version of the app overnight.
That’s an interesting point. Wonder if there’s any pattern as to which version/build of the app was affected?

I’ve had no issues and am on iOS V4.8.1 Build 425.
 

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.
Back
Top