|
Harebrained security change on the webpages
I discovered that recently QR and other airlines are starting to make changes to their web pages. There's extensive use of captchas for browsers that deny them extensive tracking and finger printing, and now I had to reset my password and disocvered QR has really done something outright stupid. The process to reset your password is now this:
1. Click the link to say you need to reset password. 2. Input your email/membership number. 3. QR resets your password and mails you a temporary password. In case this obvious, that means someone can perform a nice DoS on the whole customer base by simply requesting resets done for random users. The right way is this: 1. Click the link to say you need to reset password. 2. Input your email/membership number. 3. QR website says "if you exists in our systems you will now get a link by email that will authenticate you and take you to a web page to deal with the password recovery" 4. Said link arrives by email 5. You click it and you input your new password. Now... if it had only been limited to this stupidity. Next up, once you go to input your password they have gone to extensive lengths to disable pasting of passwords. This means if you use a password manager and want to paste in your 24 character unique password, it can't be done. It has to be keyed in by hand. Twice. Guess what 99% of people do? Hint: it involes typing in bad passwords that shouldn't be used. Bad QR! Meh, A |
Pay peanuts, get monkeys - applies to almost everything QR does except inflight service
|
Just failed to login (I think it's because I have noscript, but not sure) because of their stupid captcha protection. What a useful invention, I'm sure people are spamming their login page with requests.
|
Originally Posted by mpkz
(Post 30951790)
Just failed to login (I think it's because I have noscript, but not sure) because of their stupid captcha protection. What a useful invention, I'm sure people are spamming their login page with requests.
Also, I saw somone in the security industry that lurks here did a tweet with a link to this thread to get QRs attention. They acted swiftly and resolutely, and told him how important he was and please send emails to [email protected]. -A |
This is also possible to access to someone bookings with just QRPC number and last name which is I think pretty poor in terms of security....
|
Originally Posted by Tom_D
(Post 30952966)
This is also possible to access to someone bookings with just QRPC number and last name which is I think pretty poor in terms of security....
|
And this lunacy comes back to bite. Something is causing QR so flag my account as needing password reset and I have yet again to deal with this non-paste crap to get back into my account.
Off to Cathay Pacific to find alternatives. This is just moronic. -A |
And back on this. Third time in a few weeks the account has been locked up. All I wanted was to spend my miles. My next two longhauls are on CX and BA. Sent email to [email protected] to let them know how this just annoys people and doesn't accomplish anything securitywise.
-A |
I'm done with QR and "customer service". I've spent some days back and forth on email trying to explain the issue to them, and all I get back is: "Well, if you can't type your own password 10 times we have to lock your account for safety reasons....".
-A |
| All times are GMT -6. The time now is 1:16 am. |
This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.