This link shows me another person's QFF account details

Wow. I just had it happen. Twice. And to different people, one a John and the other a female but didn't catch their name.
 
Australia's highest-earning Velocity Frequent Flyer credit card: Offer expires: 21 Jan 2025
- Earn 60,000 bonus Velocity Points
- Get unlimited Virgin Australia Lounge access
- Enjoy a complimentary return Virgin Australia domestic flight each year

AFF Supporters can remove this and all advertisements

Wow, and they ask for our "understanding" re long call wait times, or outsourcing of non core activities, and their systems can't even get personal security right, it getting far worst than CSA staff getting things "oop".
If those details showed surnames and middle names or more than basic details, it opens the doors to accounts being sucked dry, or ways to get personal details.
If its showing other people details, is/does it mean that our details are being shown to others?
And yet they say is its illegal to fly under a pseudonym, (saw a newsy bit that OLMCG members can't fly using other names than their own), if they have to fly.
So someone, once they have our name, can then fly in our names.
OT: Flying under a false name to be a crime in Australia - TimeBase
 
You can bet that if someone’s account gets hacked, and points lost, because of this “bug”Qantas will not admit liability.
 
You can bet that if someone’s account gets hacked, and points lost, because of this “bug”Qantas will not admit liability.
I think this thread proves their liability if that happens especially as it's been reported to them. This time it pointed to a Fiona. Then Christopher seconds later. Thomas.
 
Still happening for me. As pointed out above, there's more private info in the source code of the page. This makes it much much worse. Here's a sample with details removed.

,"memberId":"X",
"firstName":"X",
"lastName":"X",
"title":"MR",
"pointsBalance":1,
"membershipTier":"X",
"pointsClubLevel":"X",
"emailAddress":"X",
"phoneNumber":"+61"}},
"userEnvironment":{"ipAddress":"49.",
"{"treatment":"widget","config":null},"status_credit_terms":{"treatment":"off","config":null},"vpp":


This is bad enough that the site should be taken offline until rectified.
 
I've made a report at the QF link/site above.
No obvious category of reporting for this type of thing - that I could find.
I lodged it under QFF Account Queries and detailed the nature of the "error" and how to replicate it and offered to provide a video showing the issue occurring multiple times.

Don't hold much hope of even getting an acknowledgement or reply, let alone useful feedback that the issue exists and is being addressed. Imagine QF is utterly inundated with Complaints via the Web Form and this probably will

I will also send a copy of my web complaint to the email address provided that says it is specifically for GDPR related privacy issues. I'm not in the EU but figure this might have more chance of being looked at by a human. And as far as I'm concerned... I'm sure QFF users in EU would be affected by this same issue, so it is GDPR related.

FWIW - I have just cleared all browser history once again and gone to a different computer, with a different browser, and can still replicate the same thing.
Expect a reply in 1-2 month if at all.
 
Looks like misconfigured Akamai/Cloudflare caching. Typical mistake made by sites serving up dynamic content… much worse when that content contains personally identifiable information.
 
As it looks like PII data is being leaked any QFF member in UK/EU can raise a request to ascertain if their data was exposed, and QF could be liable for a material fine up to 25 % of their global turnover.

(Unlikely to be such a large fine for a first offence though!)

(Id be surprised if QF was fully aware of its GDPR obligations)
 
Wow!
Apart from the person's points getting sucked from their account, there is also the opp for someone to do sim portting, which is even worst.
 
Teehee, I am not one of them.
But I know the feeling, when my xgody phone sim I thought died, or I thought it got ported.
I do buy things from ebay, so I got very nervy, as ebay packages show your name, your address, and your phone number, or that of any purchases.
But its so easy to do porting these days, will be tougher in future, but for now, its too easy.
No date of birth of course, but a scammer can track that for sure.
So, I made an effort to go all the way to Coles to buy a new phone, not too far, otherwise I would have had to go to my mobile providers store, a bit further away, line up, and wait to be served.
Thought to myself, might as well try a new phone first.
Put nano sim into new phone, and it works, so I still had access.
Any scammer worth his salt will try to firstly do a google to see if there is more things about that name, and go from there.
A lot of waffly, I do agree, but with the name provided above, if its a real person, is now open to anything.
If QFF reply, to all those message above, what can they say, but the damage has been done.
I mean, the number of QFF/QF staff who are specialist in this field, would probably be quite limited in number, as we know, AJ got rid of a lot of non core staff, or outsourced a lot.
Its not like the call centre staff would be able to deal with this, as in title, and in body of this thread.
Ok, will keep quiet on this now.
 
Any ideas - maybe those who know how Qantas IT dept (if there is one in-house) is structured - at what level this "programming error" (for want of a more sophisticated term) might have been caused? Would the lowest level "programmer" (or whatever the job is called these days) on a mundane task be able to put that sort of glitch in, or, as it is dealing with Members' personal details, might it require someone "higher up"? Or could it have occurred from some module that was just put into the web site coding, not checked with unexpected consequences.

For that matter, for a large corporate, if a web site is changed - say to put an offer in the landing page, click to accept the offer etc - what sort of testing might be usual before it goes live again? How about for a federal govt department? This sort of thing happens from time to time across the board.
 
I did some digging in the network tab and it's definitely real information - including email and phone number. ([[redacted]] = my censoring, not theirs)

"authentication":{"accessToken":"[[redacted]]","memberId":"[[redacted]]","firstName":"JOSEPH J","lastName":"[[redacted]]","title":"MR","pointsBalance":145778,"membershipTier":"Bronze","pointsClubLevel":"Base","emailAddress":"[[redacted]]@hotmail.com","phoneNumber":"+61048[[redacted]]"}
I wish I had thought to check the network tab, that's really interesting. Agree with the others that it looks to be fixed now.
 

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.
Back
Top