This link shows me another person's QFF account details

Chief Wiggum

Member
Joined
Sep 16, 2013
Posts
190
Qantas
Platinum
Virgin
Gold
Just now while logged into my QFF Account on the website, I accidentally clicked this hyperlinked blue bar at the top of page. (pic)

Which goes to this link https://www.qantas.com/hotels/campaigns/more-in-every-point

It opened up a new browser tab and I was surprised to see for about 3-4 seconds... the NAME & POINTS balance of another QFF member.

Then the tab updated to my details, replacing the other user' with mine.

I repeated the actions (clicking on the blue-bar) and it did the same things... this time with a different QFF NAME & POINTS.

Done it a few times now and each time the same result... a different person's details for 3-4 seconds before mine are updated.

If I'm quick enough I can even click the other person's name and see more information in the drop-down - before it converts over to my details.

Has anyone seen or experienced this before?

Seems like a serious security glitch to me - at very least giving away private information.
At worst - depending on what ELSE is happening in the background here to cause this - could allow someone far more computer knowledgeable and skilled than myself to possibly directly access the logged-in QFF account of another user... seemingly bypassing login & 2FA security measures?

Apologies if I'm being overly dramatic and if this is somehow a "known thing". Thought it was worth mentioning.


Screenshot 2022-05-14 125715.png
 
Yep, could reproduce the bug, saw 2 names and qff#. Really concerning.

Reporting it sounds good. Will someone read the message, let alone reallise it's a major security concern worth escalating? That s another question.

Any IT ninja around with nothing to do this afternoon? Would be good to write some loop that stops once AJ qff# is found. This for sure would get some attentions.
 
Was able to reproduce this too. Incredibly concerning. Wonder who's getting to see my details...
 
Yep - I wonder if we are seeing the same person - male initials TJ
 
I've made a report at the QF link/site above.
No obvious category of reporting for this type of thing - that I could find.
I lodged it under QFF Account Queries and detailed the nature of the "error" and how to replicate it and offered to provide a video showing the issue occurring multiple times.

Don't hold much hope of even getting an acknowledgement or reply, let alone useful feedback that the issue exists and is being addressed. Imagine QF is utterly inundated with Complaints via the Web Form and this probably will

I will also send a copy of my web complaint to the email address provided that says it is specifically for GDPR related privacy issues. I'm not in the EU but figure this might have more chance of being looked at by a human. And as far as I'm concerned... I'm sure QFF users in EU would be affected by this same issue, so it is GDPR related.

FWIW - I have just cleared all browser history once again and gone to a different computer, with a different browser, and can still replicate the same thing.
 
Managed to reprod. Took some screenshots and reported ([email protected]) I can easily run an automation script to screenshot thousands of profile in a matter of mins. This is a sev 1/2 bug as it breeches customer info confident.
 
Last edited:
Perhaps @TheInsider may also be able to bring this to the right peoples attention

Something is clearly being caached, I think its best to not click on that link, lest your details be the next ones to show up cached to the next person who goes to the link.
 
I have tried this also...the first 5 times it behaved as described above, then it reverted to showing a login request briefly before showing my details,
 
I did some digging in the network tab and it's definitely real information - including email and phone number. ([[redacted]] = my censoring, not theirs)

"authentication":{"accessToken":"[[redacted]]","memberId":"[[redacted]]","firstName":"JOSEPH J","lastName":"[[redacted]]","title":"MR","pointsBalance":145778,"membershipTier":"Bronze","pointsClubLevel":"Base","emailAddress":"[[redacted]]@hotmail.com","phoneNumber":"+61048[[redacted]]"}
 
Something is clearly being caached, I think its best to not click on that link, lest your details be the next ones to show up cached to the next person who goes to the link.

I would hazard a guess it's mixing up the auth token so if you want to be super safe don't log into your QFF account at all, regardless of the link.

That said, there is no PIN included, so unlikely anybody can do any damage.
 
I did some digging in the network tab and it's definitely real information - including email and phone number. ([[redacted]] = my censoring, not theirs)

"authentication":{"accessToken":"[[redacted]]","memberId":"[[redacted]]","firstName":"JOSEPH J","lastName":"[[redacted]]","title":"MR","pointsBalance":145778,"membershipTier":"Bronze","pointsClubLevel":"Base","emailAddress":"[[redacted]]@hotmail.com","phoneNumber":"+61048[[redacted]]"}
Not. Good. Terrifying in fact.

Especially given the already zero-value meaningless account login security that QF provides. A four-digit PIN has always been an utterly useless level of security when the other two credentials required to log in are being disclosed.

Yes... with 2FA turned on, there is (in theory) a slightly higher additional level of security.

But here... a malicious actor doesn't even NEED that... they're getting the authentication token directly from the website. GREAT !!!

Please QF.... offer users the chance to use a real (long-strong) password credential with more than 10,000 total choices
 
For me it only happens about 30% of the time and seems to only do it if you open it as a link (not refreshing the page).

And if you madly keep doing it, it's less likely to work.

It might require someone else to log in immediately before you opening the link.

I just tried it again twice, the first time didn't do it, but the second one did.
 
Australia's highest-earning Velocity Frequent Flyer credit card: Offer expires: 21 Jan 2025
- Earn 60,000 bonus Velocity Points
- Get unlimited Virgin Australia Lounge access
- Enjoy a complimentary return Virgin Australia domestic flight each year

AFF Supporters can remove this and all advertisements

For me it only happens about 30% of the time and seems to only do it if you open it as a link (not refreshing the page).

And if you madly keep doing it, it's less likely to work.

It might require someone else to log in immediately before you opening the link.

I just tried it again twice, the first time didn't do it, but the second one did.
I've had the same experience. I think I know where the fault lies. and it's a pretty basic error - which @justinbrett has detailed.
 
Let me guess, someone has decided to use the number of seconds since epoch (a time stamp, basically), as an auth token? So if you login at the same time as someone else you might get their session?
 

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.
Back
Top