What do BAEC FTers use to track their flight history?
#46
Join Date: Jul 2016
Location: Oxford (&Western Isles )
Programs: BA GGL, CCR; RyanAir MillionMiler :( ;
Posts: 756
I know a lot of people are suggesting BA97.com but due to his age could you not take a more alternative and old school approach and create some sort of world map poster with pins in so you can physically show him when he starts to understand? Just an idea anyway
#47
FlyerTalk Evangelist
Join Date: Mar 2010
Location: JER
Programs: BA Gold/OWE, several MUCCI, and assorted Pensions!
Posts: 32,146
LOL - i did this years ago with my 5yo son and a big map of the UK. We pinned on all the (mostly towns, not cities) places that we went to watch Wycombe Wanderers games on our travels. Pins all over the place - but boy does he know where Rochdale and Boston and Altringham and Mansfield and Exeter are!!
#48
Join Date: Aug 2004
Location: Newcastle upon Tyne, UK
Programs: BA Gold
Posts: 2,126
Agreed, reflection attacks aren't fun. I have addressed the bug in ba97.com highlighted by JSInjector; whilst some server-side functionality limited the risk, it was a fair (though dramatically made) point and the registration process is now more solid.
There may be other data input issues elsewhere in the site (parts of which are 12 years old now!) which I will check for.
There may be other data input issues elsewhere in the site (parts of which are 12 years old now!) which I will check for.
#49
Join Date: Nov 2013
Location: PHX, SEA
Programs: Avis President's Club, Global Entry, Hilton/Marriott Gold. No more DL/AA status.
Posts: 4,422
https://xkcd.com/327/
#50
Join Date: Mar 2015
Location: London / Brighton
Programs: BAEC Gold / M-Life Gold / HH Diamond
Posts: 1,634
Another vote for MyFlightRadar24... here's mine
#54
Join Date: Jan 2011
Location: London, UK
Programs: BAGGL, A3G, Accor Gold, Hilton Diamond, IHG Diamond, LHW Sterling
Posts: 1,308
I'm trying to set up Flightradar24, Getting the old flights is painful!. I did all the ones in Myflights app manually, and now having been trying to forward old booking confirmations to tripit, which is synced. Is there any smarter ways to get old flights in there?
#55
Ambassador: Emirates Airlines
Join Date: Sep 2004
Location: Manchester, UK
Posts: 18,618
The ba97.com site mentioned by some users in this thread has MAJOR security vulnerabilities, and I have inadvertently damaged the site. Moments ago, I was on the map page. If you access this page while not logged in, you are prompted to enter a username to see that user's map. Moreover, an autocompleter suggests usernames once you type a few characters (or, at least, it used to). The thing is, the server puts the full list of every username for the autocomplete as a Javascript array in a script tag in the plain text HTML. I was curious whether this really could be as bad as it looked, and yielding to the luring temptation (which I now regret), I registered on ba97.com with a username tester3\'. To my great surprise, the server accepted the username, and even worse, sent it back into the HTML unfiltered! The escaped \' of course renders as a ', ending the string list and apparently giving me free access to the script tag!
Since I have no malicious intentions, I didn't add "] + dangerous code" to the end of my username (and I dare not try anything else again), so now all that happens is the Javascript has a syntax error and doesn't compile, breaking the autocomplete and apparently the entire query too. So now we can't look up other user's records. Sorry for breaking it, but this vulnerability could be exploited to do terrible things. Javascript runs on the client and has access to the client's computer's hardware and file system...
To the developer of the site: I am sorry for breaking the site (and it was truly accidental), but your site's security is unacceptable. You need to either restrict usernames to letters and numbers, or not allow usernames to escape in the HTML. Better yet, don't put everyone's username in a client-side script tag...keep them on the server! Query the database asynchronously to handle the autocomplete (this is really easy nowadays).
To everyone else: do NOT load ba97.com in your browser unless it is totally contained from anything sensitive.
NB. The syntax error introduced by my username will make it harder for others to exploit the vulnerability, because it will prevent the JS from compiling even after malicious code is injected, so actually my accident is helping to defend the developer and all the site's users. This is why I have decided to publicly expose the vulnerability on this thread.
Since I have no malicious intentions, I didn't add "] + dangerous code" to the end of my username (and I dare not try anything else again), so now all that happens is the Javascript has a syntax error and doesn't compile, breaking the autocomplete and apparently the entire query too. So now we can't look up other user's records. Sorry for breaking it, but this vulnerability could be exploited to do terrible things. Javascript runs on the client and has access to the client's computer's hardware and file system...
To the developer of the site: I am sorry for breaking the site (and it was truly accidental), but your site's security is unacceptable. You need to either restrict usernames to letters and numbers, or not allow usernames to escape in the HTML. Better yet, don't put everyone's username in a client-side script tag...keep them on the server! Query the database asynchronously to handle the autocomplete (this is really easy nowadays).
To everyone else: do NOT load ba97.com in your browser unless it is totally contained from anything sensitive.
NB. The syntax error introduced by my username will make it harder for others to exploit the vulnerability, because it will prevent the JS from compiling even after malicious code is injected, so actually my accident is helping to defend the developer and all the site's users. This is why I have decided to publicly expose the vulnerability on this thread.
#56
Join Date: Sep 2014
Location: Cumbria
Programs: BAEC GGL/CCR, Hilton Diamond, Starbucks Gold
Posts: 4,510
Rather than registering a new user to show how clever you are, why didn't you PM @BA97 to alert him / her to the issue? All you've done is announced the vulnerability that "bad guys" may now be able to exploit.
#57
FlyerTalk Evangelist
Join Date: Mar 2010
Location: JER
Programs: BA Gold/OWE, several MUCCI, and assorted Pensions!
Posts: 32,146
I do, however, regularly save my ba97 data anyway ... I don't want to have to manually import everything from 1963 again!!
#58
Ambassador: Emirates Airlines
Join Date: Sep 2004
Location: Manchester, UK
Posts: 18,618
I tried to export from ba97, using the .csv file, to MFR24 ... I failed completely! It seemed the various fields didn't align, and despite some fiddling with the .csv table, I couldn't get the import to work. I thus gave up [as I do when technology gets the better of me] and just manually input flights to MFR24 going back to 2000, and left it at that.
I do, however, regularly save my ba97 data anyway ... I don't want to have to manually import everything from 1963 again!!
I do, however, regularly save my ba97 data anyway ... I don't want to have to manually import everything from 1963 again!!
#59
Join Date: Mar 2011
Programs: BA exec, HHonors Diamond
Posts: 556
This thread prompted me to check myFR24 account and I noticed no sync from my Tripit account since Feb 18. I disconnected Tripit from myFR24 then did a reconnect and it brought into myFR24 my missing 5months data. Don't know if that will work for you, just a suggestion.
#60
Join Date: May 2017
Programs: BAEC Silver
Posts: 30
Rather than registering a new user to show how clever you are, why didn't you PM @BA97 to alert him / her to the issue? All you've done is announced the vulnerability that "bad guys" may now be able to exploit.
That being said, it does say "Spot any problems? [email protected] ".