senatorgirth

This is VERY serious. CO's gotta pull the new page immediately--the legal and/or PR fallout from this could be enormous.

jerseygirl

Decided not to purchase ticket for a flight - will wait till end of week. Using firefox at home and spacing on buttons, calendars, pull downs is too small and cramped. That seems to be really minor compared to some problems, specially getting access to others records which is why i'm not buying today

theblakefish

I cannot seem to make the reward buttons work: when searching via the calendar matrix, one cannot use the arrow buttons to search a month ahead/previous without getting an error message....

carpboy

'Cause you've just been put on the super-double-secret watch list.

I wonder if someone will fall into a backdoor into CAPSII, or whatever it is these days?

theblakefish

I thought you were the real Kaiser Sosa.....

mbmiles88

Don't worry, all I did was renew your PC membership and upgrade it to lifetime
But I tried that on one of them just for the heck of it and it was about to actually let me renew someones PC membership! Obviously I didnt actually do it but still that's scary.

jdevan00

No...Im the real Kaiser Sose

mbreuer

Ok, maybe this'll help... the SID in the URL is totally ignored. You can type/retype anything & it doesn't matter. If you delete it entirely, you have to log in again. If you change it to any string of characters the same length, everything behaves as if you didn't change it (I'd say it behaves correctly... but I don't know what that is today).

To make it just a bit worse... you can enter a short or otherwise invalid SID - you'll be asked to login, and then the bogus SID becomes your SID. Doing this I was able to get a "valid" one digit SID. This is just so wrong.

To make even worse... you can save your URL including a SID (bogus or not)... then logout. If you subsequently paste a previously valid SID from the now logged-out session and go there, you're logged in again - no password!

CO Insider: I'd be happy to walk someone through recreating this if need be.
Cigar: I appreciate what you've done for us and CO... but I'm in IT and this is inexcusable.

updated:

Played a bit more... looks like session state is indeed being tracked by the sid. Problem is that logon state is also tracked by the sid. When you disconnect without logging out, the logged in state remains with the sid and ANYONE can access the account if they know the URL. This is bad, as the URL is in the clear and in browser history. If you log out of the sid, then that specific sid no longer gets you back in. If you don't and the sid is re-issued (or retyped, or posted to a website and clicked)... then someone else has unfettered access to your account.

I strongly recommend that everyone start explicity logging out when done until this is fixed. If you have browser history you might want to go back and log out of every different session you can find. And, yes, I logged out of SID=1.

CO Insider: please tell your IT people that letting the browser manage security is not acceptable. The logged in or out state MUST be maintained on the server. There are far too many ways to hack in if you trust the browser. This is, no offense, a pretty basic error. Were this to happen where I work, those lucky few who didn't get canned would be testifying before congress. I would suggest that there are quite a few US and EU rules that have been violated here and some serious damage control is in order.

mbmiles88

I agree, this is sad. It was OK earlier but this is kind of getting on my nerves. I keep having to edit my links because of that stupid SID at the end. Also I have saved CC numbers in my account that anyone can use to make reservations etc.

entropy

Sorry Scott, but this just is REALLY REALLY PATHETIC.

dkhc

Okay, so here are the major issues I've noticed with my attempt to book on co.bomb:

1) Nags the living s**t out of me every time I try to do anything besides stare at the screen with my mouth agape.

2) When I click "View Seats" on a flight, or if I hit enter no matter where I am, it may or may not select the flight as a chosen leg.

3) When I click "View/Edit Seats" option when managing reservations, it just lets me view the g.d. thing! Worse, when I could choose seats, it allowed me to choose it by turning the seat yellow, and then clicking ont he other leg, it "forgot" my choice and didn't choose a seat at all!

4) It double reserves flights. So now I have three flights to JFK, when I only chose to reserve it once.

5) You can only manage the first flight on the main page because your other flights are not listed. Clearly they are ignoring those of us who travel more than once to see Aunts Patty's and Selma's trip to Shelbyville...

The good things that probably won't last long:

1) I could reserve flights now and not have to buy them while I await approval from the boss-woman. ^

2) I can choose exit row and bulkhead seating ^ (when the damned website lets me choose seats! )

perezoso

I would like to say that, in addition to adding the record locator (PNR) in the URL problem to this thread, a few months ago I started a thread in which I stated that the EWR intranet was completely compromised, something that I discovered through a google search. That is, the whole darn thing was open on the internet.

The reaction on Flyertalk was to say that was impossible and to f*rt in my general direction, and a number of people claimed I was lying. That included a CO employee (not CO Insider). I was not lying. It was true. I resisted the temptation to prove what I was saying was right, by posting some details - in that case, mainly security sensitive details.

So, anyway, here I am again. I hope people believe me now. And I still have not heard a d*mn word from Continental about reporting to them the fact that their intranet was hanging out on the internet a few month ago.

Anyway, having d*mn well seen and promptly reported (as opposed to exploited) my share of CO IT fiascos, I sure wish that somebody at CO would acknowledge that fact.

ctownflyer

Some of my current and booked itineraries are in the cancelled section, and for the life of me i cant figure out how to get it back to the current section!
I tried finding it again by conf# and saving it to my account, but CO.Bomb did NOT appreciate that...

flyingpharmd

My first experience with the new website was weird. I tried to book a flight to Frankfurt in January, but it kept coming back that no seats were available. So I booked a flight into CGN and all of a sudden FRA came up with a seat at a good price (Biz1st).

Then it tried to charge me twice as much for the seat as the price displayed and there was no mention that the price given was one-way.

Strange...just plain strange...

entropy

at least they aren't using models on their website like LY is.... www.elal.com, if you look at the plane, the tail stabilizers are on upside down.
I've come to expect that crap from LY but from CO its surprising.