This link shows me another person's QFF account details

Captain Halliday said:
I trust his/her CL invitation is in the mail. Likely saved them a penny or two.
Click to expand...

Fingers crossed, I look forward to riding their coattail into the CL 😁

PS. Hello to any QF frontend devs/engineering folk dropping past the thread during your retro! 👋 Can you please fix the unusual multi-city tool login form behaviour? To replicate, visit the page when not logged in and attempt to search for a classic award. The login form works but doesn't show a search button afterwards.

Also, please lobby the social media team to reinstate an official QF presence here on AFF! We can be a fickle bunch BUT you would have found out about this issue much earlier - we are excellent QA testers/bug finders. We also miss @Red Roo!
 
Last edited:
Check out the latest credit card signup bonus point offers
Read our AFF credit card guides and start earning more points now.

AFF Supporters can remove this and all advertisements

Likely that in the rush to add the link for the promo the proper test protocols were not followed. Probably well past due for a full 3rd party Penetration Test.
 
RooFlyer said:
For that matter, for a large corporate, if a web site is changed - say to put an offer in the landing page, click to accept the offer etc - what sort of testing might be usual before it goes live again? How about for a federal govt department? This sort of thing happens from time to time across the board.
Click to expand...

Pretty much every change that goes into production should be looked at by at least two sets of eyes - the dev who writes the code and a second person to review and approve the pull request. Some orgs will require multiple PR approvals before shipping code, that would vary by internal policy.

I guess the tricky thing about this bug was that it only appeared on maybe 1/6 page loads from my testing, and only briefly appeared for a second or two. You also needed to be logged in with your own account to see the other person's details. (otherwise you'd just get the generic "Login" button) It shouldn't have been missed, but I can understand how it may have been.
 
sudoer said:
Pretty much every change that goes into production should be looked at by at least two sets of eyes - the dev who writes the code and a second person to review and approve the pull request. Some orgs will require multiple PR approvals before shipping code, that would vary by internal policy.

I guess the tricky thing about this bug was that it only appeared on maybe 1/6 page loads from my testing, and only briefly appeared for a second or two. You also needed to be logged in with your own account to see the other person's details. (otherwise you'd just get the generic "Login" button) It shouldn't have been missed, but I can understand how it may have been.
Click to expand...
I don't think you needed to be logged into your account to see this, I did all my testing in Chrome Incognito mode and saw about 5 different users
 
FishFood said:
I don't think you needed to be logged into your account to see this, I did all my testing in Chrome Incognito mode and saw about 5 different users
Click to expand...

I must have reloaded the page without being logged in a good 15-20 times and didn't see any details ... guess that just shows how intermittent it was.
 
I logged out of my account but still saw several names after that including a points multi millionaire. It looks like a lot of people have very healthy points balances which is not surprising but it's different when you see it for yourself.
 
aikman said:
I logged out of my account but still saw several names after that including a points multi millionaire. It looks like a lot of people have very healthy points balances which is not surprising but it's different when you see it for yourself.
Click to expand...
Everyone I saw had lower points balances than myself, it would have been fun to see a millionaire in the wild
 
Daver6 said:
So wait....when QF want to fix something quickly, it can be done. Surprised they didn't blame this on Covid
Click to expand...

A combination of getting the info to the correct person with authority to fix (using linked in was genius) and the motivation to avoid significant fines and legal action for breaching privacy act (or equivalent) in multiple countries.

When the IT issues just deliver lousy service without breaking the law, the arrogance kicks in and problems can be ignored without real consequence.

Everyone knows if web site had ability to book complex OWA itineraries, self modify OWA, add bassinet bookings etc calls to call centre would be minimal.
 
True but penalties in Australia at least can be larger if companies do not act swiftly once notifed of a breach.
 
Lynda2475 said:
Likely that in the rush to add the link for the promo the proper test protocols were not followed. Probably well past due for a full 3rd party Penetration Test.
Click to expand...
Do you mean a sanctioned test? Because I can guarantee there'd be hundreds of 3rd party penetration tests attempted every day on the QF site.
 
Yes sanctioned 3rd party penetration testing is standard protocol as part of production readiness for any public facing site which has PII.
 

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.

Recent Posts

Currently Active Users

Total: 220 (members: 49, guests: 171)
Back
Top