UA Mobile Site Breach Let Fliers See Others Private Data -cached session state-fixed?
#1
Original Poster
Join Date: Jan 2004
Location: Rehoboth Beach, DE
Programs: AA ExPlat; Marriott Plat: Hilton Gold
Posts: 831
UA Mobile Site Breach Let Fliers See Others Private Data -cached session state-fixed?
#3
Join Date: Jan 2009
Location: LHR (sometimes CLE, SFO, BOS, LAX, SEA)
Programs: UA 1K
Posts: 5,893
Yeah, the mobile site in particular has had a lot of session-state bugs (see e.g. https://www.tinfoilsecurity.com/blog/132969897 ). There does not seem to be a lot of room for targeted attacks in the published problems (you couldn't go and find Tony Shalhoub's specifically and assign him seats next to you) but there is bunch of opportunity for strangers to cause havoc.
#5
FlyerTalk Evangelist
Join Date: May 2007
Location: Houston
Programs: UA Plat, Marriott Gold
Posts: 12,693
Unfortunate UA won't say when this bug was introduced, just when it was fixed.
There's a couple other reservation-related exploits on the site, but they require some prior knowledge
There's a couple other reservation-related exploits on the site, but they require some prior knowledge
#7
FlyerTalk Evangelist
Join Date: Aug 2005
Location: BOS/EAP
Programs: UA 1K, MR LTT, HH Dia, Amex Plat
Posts: 32,053
I have seen this on the regular site 2 years ago. Suddenly it was showing me random reservations with all the details. UA keeps having this issues ... pathetic, if the story in the link is true that UA denies they have been contacted by customers, but nothing surprises me anymore these days.