Flying Blue (Air France, KLM, and Other Partners) - New problems FB website relating to "share and fly" (see details of other members)

I think there is a hugh problem with the KL site. Clicked on the link a couple of times and I'm getting people's info..

MR N***** *******
Miles balance: 119306 miles
Transfer Award Miles

You can share your Award Miles with a friend or family member who is an additional cardholder, providing they are also a Flying Blue member. Simply request Flying Blue to transfer all or part of your Award Miles to either of the two Flying Blue accounts.

Personal details

Flying Blue number
************
Name
MR ************
Miles balance
119306

Do you see the same ?

Perhaps you should remove that personal information asap.
And yes, it seems that indeed you can query for people's Name by entering their FB number.

[edit]
You are right. It randomly shows other people's information. What the hell..

Perhaps you should remove that personal information asap.
And yes, it seems that indeed you can query for people's Name by entering their FB number.

[edit]
You are right. It randomly shows other people's information. What the hell..

Removed, and yes, what the hell is what i thought as well...

I called Flying Blue to point them towards the problem. Their IT department is going to verify..

By the way, I see another guy's name and miles balance than posted above when I open the link without being logged in. Theoretically I could probably even move miles out of his account:

http://upload.xandrios.net/fb_other_account.png (censored screenshot)

Perhaps we should let them figure this out before this really goes public..

Good job, are they gonna send us some miles for it??? :D

I called Flying Blue to point them towards the problem. Their IT department is going to verify..

By the way, I see another guy's name and miles balance when I open the link without being logged in. Theoretically I could probably even move miles out of his account:

http://upload.xandrios.net/fb_other_account.png (censored screenshot)

Perhaps we should let them figure this out before this really goes public..

I sent a mail to FB as well :)

I called Flying Blue to point them towards the problem. Their IT department is going to verify..

By the way, I see another guy's name and miles balance than posted above when I open the link without being logged in. Theoretically I could probably even move miles out of his account:

http://upload.xandrios.net/fb_other_account.png (censored screenshot)

Perhaps we should let them figure this out before this really goes public..

I tried that with 1 mile, but then you get an error. I was not logged in when I clicked the link, that's how I found out.

This riddiculous! I copied Xandrios' link and also got personal details of a FB member, but a different one than he got. I tried a different browser and the same person showed up. However while yesterday you could access the form through your profile after logging in, now the link is removed

Seems they disabled the "feature".

Yes they did, finally. Guess somebody higher up had to greenlight the decision to take the feature offline.

Turns out to have been something slightly more difficult to reproduce, as the problem did not appear using their internal network. My best guess is that there is some kind of (web?) caching in place for external access, which has been misconfigured for the new feature.. (Therefore wrongfully showing cached pages that contain user data).

Probably a bit of internal phishing going on..............

Some months ago, I also found another person's detail by logging in with my personal informations on the AF iPhone app... And that was before Share&Fly.

Is this a new feature the Share&Fly?
Where can I find the same?

Some months ago, I also found another person's detail by logging in with my personal informations on the AF iPhone app... And that was before Share&Fly.

Can you reproduce that somehow? Do you remember which steps you had done to get to that result?


Is this a new feature the Share&Fly?
Where can I find the same?

Its for members that have the FlyingBlue Amex (http://www.americanexpress.com/netherlands/flying-blue-gold-card) only:

Share & Fly
Met Share & Fly kunt u Award Miles delen met uw extra kaarthouder(s) binnen uw account. Door het overboeken van uw Miles spaart u sneller voor een award ticket.

Can you reproduce that somehow? Do you remember which steps you had done to get to that result?

It happened only once. IIRC, once logged, I clicked either on "mileage summary" (or equivalent term). At the top of the page was displayed the name, surname and FB number of a third person as well as an error message ("Passenger XXX, FB number 123456789 already used by another member of the group") ; below was my mileage summary and my name.

I noticed that Share&Fly is back. However, this time it only shows a blank page for me.

https://www.klm.com/travel/nl_en/flying_blue/manage_my_account/shareandfly/form.htm

Do you have an FB Amex?

If not, then it should be blank.

I do have an Amex. I doubt however that in another case it should be blank, it would be bad to have a link on the KLM frontpage that results in a blank page ;)

Well, the link shouldn't be shown to those without an FB Amex, but if it was, there should be no content loadable.

Better than:

http://i45.tinypic.com/zupiqd.jpg

These are the guys who do at least some of KLM's site IT. Have a wander through their own site and see how much of it doesn't work properly and it will clear up a lot of mystery about the KLM web experience. :p

http://iscits.com/iscits/default.htm