This link shows me another person's QFF account details

Chief Wiggum

Chief Wiggum

Member
Joined
Sep 16, 2013
Posts
189
Qantas
Platinum
Virgin
Gold
Just now while logged into my QFF Account on the website, I accidentally clicked this hyperlinked blue bar at the top of page. (pic)

Which goes to this link https://www.qantas.com/hotels/campaigns/more-in-every-point

It opened up a new browser tab and I was surprised to see for about 3-4 seconds... the NAME & POINTS balance of another QFF member.

Then the tab updated to my details, replacing the other user' with mine.

I repeated the actions (clicking on the blue-bar) and it did the same things... this time with a different QFF NAME & POINTS.

Done it a few times now and each time the same result... a different person's details for 3-4 seconds before mine are updated.

If I'm quick enough I can even click the other person's name and see more information in the drop-down - before it converts over to my details.

Has anyone seen or experienced this before?

Seems like a serious security glitch to me - at very least giving away private information.
At worst - depending on what ELSE is happening in the background here to cause this - could allow someone far more computer knowledgeable and skilled than myself to possibly directly access the logged-in QFF account of another user... seemingly bypassing login & 2FA security measures?

Apologies if I'm being overly dramatic and if this is somehow a "known thing". Thought it was worth mentioning.


Screenshot 2022-05-14 125715.png
 
Yep, could reproduce the bug, saw 2 names and qff#. Really concerning.

Reporting it sounds good. Will someone read the message, let alone reallise it's a major security concern worth escalating? That s another question.

Any IT ninja around with nothing to do this afternoon? Would be good to write some loop that stops once AJ qff# is found. This for sure would get some attentions.
 
Was able to reproduce this too. Incredibly concerning. Wonder who's getting to see my details...
 
Yep - I wonder if we are seeing the same person - male initials TJ
 
I've made a report at the QF link/site above.
No obvious category of reporting for this type of thing - that I could find.
I lodged it under QFF Account Queries and detailed the nature of the "error" and how to replicate it and offered to provide a video showing the issue occurring multiple times.

Don't hold much hope of even getting an acknowledgement or reply, let alone useful feedback that the issue exists and is being addressed. Imagine QF is utterly inundated with Complaints via the Web Form and this probably will

I will also send a copy of my web complaint to the email address provided that says it is specifically for GDPR related privacy issues. I'm not in the EU but figure this might have more chance of being looked at by a human. And as far as I'm concerned... I'm sure QFF users in EU would be affected by this same issue, so it is GDPR related.

FWIW - I have just cleared all browser history once again and gone to a different computer, with a different browser, and can still replicate the same thing.
 
Managed to reprod. Took some screenshots and reported ([email protected]) I can easily run an automation script to screenshot thousands of profile in a matter of mins. This is a sev 1/2 bug as it breeches customer info confident.
 
Last edited:
Perhaps @TheInsider may also be able to bring this to the right peoples attention

Something is clearly being caached, I think its best to not click on that link, lest your details be the next ones to show up cached to the next person who goes to the link.
 
I have tried this also...the first 5 times it behaved as described above, then it reverted to showing a login request briefly before showing my details,
 
I did some digging in the network tab and it's definitely real information - including email and phone number. ([[redacted]] = my censoring, not theirs)

"authentication":{"accessToken":"[[redacted]]","memberId":"[[redacted]]","firstName":"JOSEPH J","lastName":"[[redacted]]","title":"MR","pointsBalance":145778,"membershipTier":"Bronze","pointsClubLevel":"Base","emailAddress":"[[redacted]]@hotmail.com","phoneNumber":"+61048[[redacted]]"}
 
Lynda2475 said:
Something is clearly being caached, I think its best to not click on that link, lest your details be the next ones to show up cached to the next person who goes to the link.
Click to expand...

I would hazard a guess it's mixing up the auth token so if you want to be super safe don't log into your QFF account at all, regardless of the link.

That said, there is no PIN included, so unlikely anybody can do any damage.
 
justinbrett said:
I did some digging in the network tab and it's definitely real information - including email and phone number. ([[redacted]] = my censoring, not theirs)

"authentication":{"accessToken":"[[redacted]]","memberId":"[[redacted]]","firstName":"JOSEPH J","lastName":"[[redacted]]","title":"MR","pointsBalance":145778,"membershipTier":"Bronze","pointsClubLevel":"Base","emailAddress":"[[redacted]]@hotmail.com","phoneNumber":"+61048[[redacted]]"}
Click to expand...
Not. Good. Terrifying in fact.

Especially given the already zero-value meaningless account login security that QF provides. A four-digit PIN has always been an utterly useless level of security when the other two credentials required to log in are being disclosed.

Yes... with 2FA turned on, there is (in theory) a slightly higher additional level of security.

But here... a malicious actor doesn't even NEED that... they're getting the authentication token directly from the website. GREAT !!!

Please QF.... offer users the chance to use a real (long-strong) password credential with more than 10,000 total choices
 
For me it only happens about 30% of the time and seems to only do it if you open it as a link (not refreshing the page).

And if you madly keep doing it, it's less likely to work.

It might require someone else to log in immediately before you opening the link.

I just tried it again twice, the first time didn't do it, but the second one did.
 
justinbrett said:
For me it only happens about 30% of the time and seems to only do it if you open it as a link (not refreshing the page).

And if you madly keep doing it, it's less likely to work.

It might require someone else to log in immediately before you opening the link.

I just tried it again twice, the first time didn't do it, but the second one did.
Click to expand...
I've had the same experience. I think I know where the fault lies. and it's a pretty basic error - which @justinbrett has detailed.
 
Struggling to Redeem Your Frequent Flyer Points?
The Frequent Flyer Concierge team takes the hard work out of finding reward seat availability. Using their expert knowledge and specialised tools, they'll help you book a great trip that maximises the value for your points.

AFF Supporters can remove this and all advertisements

Let me guess, someone has decided to use the number of seconds since epoch (a time stamp, basically), as an auth token? So if you login at the same time as someone else you might get their session?
 

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and enjoy a better viewing experience, as well as full participation on our community forums.

AFF members can also access our Frequent Flyer Training courses, and upgrade to enjoy lots of other benefits and discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.

Recent Posts

Currently Active Users

Total: 885 (members: 48, guests: 837)
Back
Top