wma

Just went to AA.Com and instead of seeing my name and Account Number I was in "Mark's" Account. He's EXP with a ton of miles. He's posted 300K+ since last month. When I clicked on View details it gave me his account number. Granted I do not know his password to get into his account. But I shouldn't be seeing this. Has this happened to any one else today? Very disconserting.

dg4255

WOW.. so much for security with miles...

MIKESILV

Yes happened to me yesterday got the same exact info.
Believe or not it appears to be a member posting here on Ftalk.
I sent him an PM ( no response)
Just curious did you speak to the Admirals club or Advantage customer service to have a posting adjusted in your account yesterday?
I did not, sure if related.

mike

wma

More Information. Mark is in GRR, I'm in BOS. AA.com technical support (Scott) says he had to log into my computer for this to happen. I told them he's in MI I'm in MA, it didn't happen. He puts me on hold and comes back to tell me "Yeah, we've been having some problems like that of late. You have to tell the Webmaster." I asked aren't you web support? Scott replies "Yeah, but you need to go online and write it up, if (get this) I feel there is a breach in security." I asked Scott, if he thought this was "A breach in Security?", his reply "Yeah" (big on yeahs).

I wrote it up and sent it in. If there is a Mark out here on FT from GRR, who's EXP PM me.

zipual

Same exact thing happened to my wife's account several years ago....somehow i provided a link inside FT to a question somebody asked about AA, and the next day my wife's account was pulled up by many people....found out about it on FT, they were talking about seeing someone elses account...and lo and behold it is the wife's. Took a couple calls to AA webmaster and a couple days to get it sorted out...but also ended up with a few extra miles in her account for the ordeal. ^

brp

If you remember, when you included the link, did you remove the session id from the URL? If not, you included information giving a direct link into that account. Of course, security on AA.com should not allow someone to just enter a URL with session and get in bypassing the password part. But it seems to do so, and this would, at least, explain what happened in your situation.

Cheers.

kenfry

Seems like AA.com is running out of Session-ID

brp

Oh, not at all. If the link included the session ID, clicking on that link will (attempt to) establish a connection with that session. Lax security will allow the connection. But the session ID pointed into the account. This is all assuming, of course, that the session ID was in the link. If there was no session ID, I'm pretty certain that even AA.com is not braindead enough to just opo up a random account when not using any credential at all. Wrong account after login, sure- I've had it happen to me, too. But one has to provide at least something.

Cheers.

MIKESILV

That could very well be it, because the " Mark" in question is a very active member of FT on the AA board.
I believe he read ( or deleted) my PM to him.

mike

wma

I'm confused so what I hear you folks saying, when I read a thread yesterday and clicked the AA link in the thread, I got into "Mark's" account. And since I have "save my ID number" checked on my computer, I saved his ID? If that is the case, it's bad.

As the AA saga continues - I received an email back from the webmaster saying I was using a public computer and that's why I was seeing Mark's account. Understand when I saw Mark's account all it said was Mark, not his last name. The CSR at AA kindly provided his last name in the email. So now I have his full name and account number. Nice.

brp

No to this. If the session ID was in the link, it could have brought up his account. However, the "save my ID number" wouldn't be affected because that only comes into play when you're on a login page and enter your AAdvantage # and password. Even if you got into Mark's account, you don't have, or know his ID. So, it wouldn't save his there as you didn't access hiw account through the normal login procedure. You're completely safe on this score.

As the AA saga continues - I received an email back from the webmaster saying I was using a public computer and that's why I was seeing Mark's account. Understand when I saw Mark's account all it said was Mark, not his last name. The CSR at AA kindly provided his last name in the email. So now I have his full name and account number. Nice. [/QUOTE]

From your OP, I thought that this was on your own computer. If it was public, it is likely that Mark didn't log out. Did you just to to AA.com and have Mark's info? Did you select "Logout" or "Change User"? Did you go to a blank screen (with no user showing) and login with your info only to find Mark's instead?

There have been a number of threads here about finding someone else's un-logged-out account on a public computer, usually an AC. That's not as odd an occurrence as if you had done this on your home computer, where Mark, likely, never would have been.

Am I interpreting the details correctly?

Cheers.

wma

Sorry I wasn't clear in my sarcasm. I was using my laptop, I wasn't using a public computer and I told that to the AA webmaster. What got me was I felt like the CSR didn't read the email, just gave me a scripted answer. I was clear in my email that the computer was my own personal laptop, not a public one, and that it (the computer) has been in my possession as long as I own it ( I never let anyone touch it, my husband doesn't even know my password).

What gets me in the email, AA gave me more information on the guy than I orginally had.

I have figured out where I taped into the link, and have PM'd the person letting him know the situation and advising him to remove his post.

MIKESILV

I guess you didnt bother to read my initial post saying I had already identified the Ftalker and had PM him about it LAST NIGHT ( at about 900PM)

mike

Edited to add that the info came up on my PC at home

jaynyc

Who was the CSR? Karl Rove?

wma

I did read your post. Then I went to the lthread and clicked on the link and low and behold I was on his page again. I thought I'd be nice and PM him again letting him know this was still happening.