This link shows me another person's QFF account details

I trust his/her CL invitation is in the mail. Likely saved them a penny or two.

Fingers crossed, I look forward to riding their coattail into the CL 😁

PS. Hello to any QF frontend devs/engineering folk dropping past the thread during your retro! 👋 Can you please fix the unusual multi-city tool login form behaviour? To replicate, visit the page when not logged in and attempt to search for a classic award. The login form works but doesn't show a search button afterwards.

Also, please lobby the social media team to reinstate an official QF presence here on AFF! We can be a fickle bunch BUT you would have found out about this issue much earlier - we are excellent QA testers/bug finders. We also miss @Red Roo!
 
Last edited:
Likely that in the rush to add the link for the promo the proper test protocols were not followed. Probably well past due for a full 3rd party Penetration Test.
 
For that matter, for a large corporate, if a web site is changed - say to put an offer in the landing page, click to accept the offer etc - what sort of testing might be usual before it goes live again? How about for a federal govt department? This sort of thing happens from time to time across the board.

Pretty much every change that goes into production should be looked at by at least two sets of eyes - the dev who writes the code and a second person to review and approve the pull request. Some orgs will require multiple PR approvals before shipping code, that would vary by internal policy.

I guess the tricky thing about this bug was that it only appeared on maybe 1/6 page loads from my testing, and only briefly appeared for a second or two. You also needed to be logged in with your own account to see the other person's details. (otherwise you'd just get the generic "Login" button) It shouldn't have been missed, but I can understand how it may have been.
 
Pretty much every change that goes into production should be looked at by at least two sets of eyes - the dev who writes the code and a second person to review and approve the pull request. Some orgs will require multiple PR approvals before shipping code, that would vary by internal policy.

I guess the tricky thing about this bug was that it only appeared on maybe 1/6 page loads from my testing, and only briefly appeared for a second or two. You also needed to be logged in with your own account to see the other person's details. (otherwise you'd just get the generic "Login" button) It shouldn't have been missed, but I can understand how it may have been.
I don't think you needed to be logged into your account to see this, I did all my testing in Chrome Incognito mode and saw about 5 different users
 
I don't think you needed to be logged into your account to see this, I did all my testing in Chrome Incognito mode and saw about 5 different users

I must have reloaded the page without being logged in a good 15-20 times and didn't see any details ... guess that just shows how intermittent it was.
 
I logged out of my account but still saw several names after that including a points multi millionaire. It looks like a lot of people have very healthy points balances which is not surprising but it's different when you see it for yourself.
 
I logged out of my account but still saw several names after that including a points multi millionaire. It looks like a lot of people have very healthy points balances which is not surprising but it's different when you see it for yourself.
Everyone I saw had lower points balances than myself, it would have been fun to see a millionaire in the wild
 
Australia's highest-earning Velocity Frequent Flyer credit card: Offer expires: 21 Jan 2025
- Earn 60,000 bonus Velocity Points
- Get unlimited Virgin Australia Lounge access
- Enjoy a complimentary return Virgin Australia domestic flight each year

AFF Supporters can remove this and all advertisements

So wait....when QF want to fix something quickly, it can be done. Surprised they didn't blame this on Covid

A combination of getting the info to the correct person with authority to fix (using linked in was genius) and the motivation to avoid significant fines and legal action for breaching privacy act (or equivalent) in multiple countries.

When the IT issues just deliver lousy service without breaking the law, the arrogance kicks in and problems can be ignored without real consequence.

Everyone knows if web site had ability to book complex OWA itineraries, self modify OWA, add bassinet bookings etc calls to call centre would be minimal.
 
A combination of getting the info to the correct person with authority to fix (using linked in was genius) and the motivation to avoid significant fines and legal action for breaching privacy act (or equivalent) in multiple countries.
That ship has sailed. The breach has already occurred.
 
True but penalties in Australia at least can be larger if companies do not act swiftly once notifed of a breach.
 
Likely that in the rush to add the link for the promo the proper test protocols were not followed. Probably well past due for a full 3rd party Penetration Test.
Do you mean a sanctioned test? Because I can guarantee there'd be hundreds of 3rd party penetration tests attempted every day on the QF site.
 
Yes sanctioned 3rd party penetration testing is standard protocol as part of production readiness for any public facing site which has PII.
 

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.
Back
Top