This link shows me another person's QFF account details

[Captain Halliday]

A friend of mine messaged the Qantas CISO on LinkedIn last night, got a response earlier this morning and just now a confirmation it's been fixed.

I trust his/her CL invitation is in the mail. Likely saved them a penny or two.

 

[AIRwin]

I trust his/her CL invitation is in the mail.

More secure than sending electronically...

 

[sudoer]

I trust his/her CL invitation is in the mail. Likely saved them a penny or two.

Fingers crossed, I look forward to riding their coattail into the CL

PS. Hello to any QF frontend devs/engineering folk dropping past the thread during your retro! Can you please fix the unusual multi-city tool login form behaviour? To replicate, visit the page when not logged in and attempt to search for a classic award. The login form works but doesn't show a search button afterwards.

Also, please lobby the social media team to reinstate an official QF presence here on AFF! We can be a fickle bunch BUT you would have found out about this issue much earlier - we are excellent QA testers/bug finders. We also miss @Red Roo!

 

[AIRwin]

Also, can you please lobby the social media team to reinstate a QF official presence here on AFF?

Can your friend put in a word for AFF through the CISO?

 

[sudoer]

Can your friend put in a word for AFF through the CISO?

He linked directly to this thread so CISO is presumably reading our posts

 

[AIRwin]

He linked directly to this thread so CISO is presumably reading our posts

Glad I'd posted the link to OAIC...

 

[Lynda2475]

Likely that in the rush to add the link for the promo the proper test protocols were not followed. Probably well past due for a full 3rd party Penetration Test.

 

[sudoer]

For that matter, for a large corporate, if a web site is changed - say to put an offer in the landing page, click to accept the offer etc - what sort of testing might be usual before it goes live again? How about for a federal govt department? This sort of thing happens from time to time across the board.

Pretty much every change that goes into production should be looked at by at least two sets of eyes - the dev who writes the code and a second person to review and approve the pull request. Some orgs will require multiple PR approvals before shipping code, that would vary by internal policy.

I guess the tricky thing about this bug was that it only appeared on maybe 1/6 page loads from my testing, and only briefly appeared for a second or two. You also needed to be logged in with your own account to see the other person's details. (otherwise you'd just get the generic "Login" button) It shouldn't have been missed, but I can understand how it may have been.

 

[FishFood]

Pretty much every change that goes into production should be looked at by at least two sets of eyes - the dev who writes the code and a second person to review and approve the pull request. Some orgs will require multiple PR approvals before shipping code, that would vary by internal policy.

I guess the tricky thing about this bug was that it only appeared on maybe 1/6 page loads from my testing, and only briefly appeared for a second or two. You also needed to be logged in with your own account to see the other person's details. (otherwise you'd just get the generic "Login" button) It shouldn't have been missed, but I can understand how it may have been.

I don't think you needed to be logged into your account to see this, I did all my testing in Chrome Incognito mode and saw about 5 different users

 

[sudoer]

I don't think you needed to be logged into your account to see this, I did all my testing in Chrome Incognito mode and saw about 5 different users

I must have reloaded the page without being logged in a good 15-20 times and didn't see any details ... guess that just shows how intermittent it was.

 

[aikman]

I logged out of my account but still saw several names after that including a points multi millionaire. It looks like a lot of people have very healthy points balances which is not surprising but it's different when you see it for yourself.

 

[FishFood]

I logged out of my account but still saw several names after that including a points multi millionaire. It looks like a lot of people have very healthy points balances which is not surprising but it's different when you see it for yourself.

Everyone I saw had lower points balances than myself, it would have been fun to see a millionaire in the wild

 

[Zetta]

I only saw one. But all are plat members

 

[Daver6]

So wait....when QF want to fix something quickly, it can be done. Surprised they didn't blame this on Covid.

 

[Lynda2475]

So wait....when QF want to fix something quickly, it can be done. Surprised they didn't blame this on Covid

A combination of getting the info to the correct person with authority to fix (using linked in was genius) and the motivation to avoid significant fines and legal action for breaching privacy act (or equivalent) in multiple countries.

When the IT issues just deliver lousy service without breaking the law, the arrogance kicks in and problems can be ignored without real consequence.

Everyone knows if web site had ability to book complex OWA itineraries, self modify OWA, add bassinet bookings etc calls to call centre would be minimal.

 

[Daver6]

A combination of getting the info to the correct person with authority to fix (using linked in was genius) and the motivation to avoid significant fines and legal action for breaching privacy act (or equivalent) in multiple countries.

That ship has sailed. The breach has already occurred.

 

[Lynda2475]

True but penalties in Australia at least can be larger if companies do not act swiftly once notifed of a breach.

 

[Guvner]

Likely that in the rush to add the link for the promo the proper test protocols were not followed. Probably well past due for a full 3rd party Penetration Test.

Do you mean a sanctioned test? Because I can guarantee there'd be hundreds of 3rd party penetration tests attempted every day on the QF site.

 

[Lynda2475]

Yes sanctioned 3rd party penetration testing is standard protocol as part of production readiness for any public facing site which has PII.

 

[Virgin Bart]

Did anything ever come of this incident?