Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > United Airlines | MileagePlus
Reload this Page >

UA Mobile Site Breach Let Fliers See Others Private Data -cached session state-fixed?

Register
Community
Wiki Posts
Today's Posts
Search

UA Mobile Site Breach Let Fliers See Others Private Data -cached session state-fixed?

Thread Tools
 
Search this Thread
 
Old Jan 28, 2015, 2:20 pm
  #1  
Original Poster
 
Join Date: Jan 2004
Location: Rehoboth Beach, DE
Programs: AA ExPlat; Marriott Plat: Hilton Gold
Posts: 831
UA Mobile Site Breach Let Fliers See Others Private Data -cached session state-fixed?
http://boingboing.net/2015/01/28/uni...-let-flie.html
Nicksterguy is offline  
Reply
Old Jan 28, 2015, 2:24 pm
  #2  
A FlyerTalk Posting Legend
 
Join Date: Apr 2001
Location: PSM
Posts: 69,232
Session state has been a mess in the systems for a long, long time. Oops.
sbm12 is offline  
Reply
Old Jan 28, 2015, 3:05 pm
  #3  
 
Join Date: Jan 2009
Location: LHR (sometimes CLE, SFO, BOS, LAX, SEA)
Programs: UA 1K
Posts: 5,893
Yeah, the mobile site in particular has had a lot of session-state bugs (see e.g. https://www.tinfoilsecurity.com/blog/132969897 ). There does not seem to be a lot of room for targeted attacks in the published problems (you couldn't go and find Tony Shalhoub's specifically and assign him seats next to you) but there is bunch of opportunity for strangers to cause havoc.
mherdeg is online now  
Reply
Old Jan 28, 2015, 3:43 pm
  #4  
 
Join Date: Mar 2014
Location: PWM
Programs: AA Plat
Posts: 1,335
Interesting! I've noticed a similar (but smaller in scope) issue with UA's useless Travel Bank Gift Registry on .bomb.
sexykitten7 is offline  
Reply
Old Jan 28, 2015, 3:55 pm
  #5  
FlyerTalk Evangelist
 
Join Date: May 2007
Location: Houston
Programs: UA Plat, Marriott Gold
Posts: 12,693
Unfortunate UA won't say when this bug was introduced, just when it was fixed.

There's a couple other reservation-related exploits on the site, but they require some prior knowledge
mduell is offline  
Reply
Old Jan 28, 2015, 4:27 pm
  #6  
 
Join Date: Feb 2002
Location: NYC: UA 1K, DL Platinum, AAirpass, Avis PC
Posts: 4,599
Funny on all the screen shots she has where it asks to upgrade, the flights all say "upgrade not offered,' yet there is a 'confirm upgrade' button at the bottom of each.
cerealmarketer is offline  
Reply
Old Jan 28, 2015, 5:33 pm
  #7  
FlyerTalk Evangelist
 
Join Date: Aug 2005
Location: BOS/EAP
Programs: UA 1K, MR LTT, HH Dia, Amex Plat
Posts: 32,053
I have seen this on the regular site 2 years ago. Suddenly it was showing me random reservations with all the details. UA keeps having this issues ... pathetic, if the story in the link is true that UA denies they have been contacted by customers, but nothing surprises me anymore these days.
cfischer is online now  
Reply



Advanced Search
Reply Closed Thread Share
Forum Jump

Contact Us - Manage Preferences - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service -

This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.