Harebrained security change on the webpages
#1
Original Poster
Join Date: Dec 2002
Programs: QR Plat
Posts: 2,416
Harebrained security change on the webpages
I discovered that recently QR and other airlines are starting to make changes to their web pages. There's extensive use of captchas for browsers that deny them extensive tracking and finger printing, and now I had to reset my password and disocvered QR has really done something outright stupid. The process to reset your password is now this:
1. Click the link to say you need to reset password.
2. Input your email/membership number.
3. QR resets your password and mails you a temporary password.
In case this obvious, that means someone can perform a nice DoS on the whole customer base by simply requesting resets done for random users.
The right way is this:
1. Click the link to say you need to reset password.
2. Input your email/membership number.
3. QR website says "if you exists in our systems you will now get a link by email that will authenticate you and take you to a web page to deal with the password recovery"
4. Said link arrives by email
5. You click it and you input your new password.
Now... if it had only been limited to this stupidity. Next up, once you go to input your password they have gone to extensive lengths to disable pasting of passwords. This means if you use a password manager and want to paste in your 24 character unique password, it can't be done. It has to be keyed in by hand. Twice. Guess what 99% of people do? Hint: it involes typing in bad passwords that shouldn't be used.
Bad QR!
Meh,
A
1. Click the link to say you need to reset password.
2. Input your email/membership number.
3. QR resets your password and mails you a temporary password.
In case this obvious, that means someone can perform a nice DoS on the whole customer base by simply requesting resets done for random users.
The right way is this:
1. Click the link to say you need to reset password.
2. Input your email/membership number.
3. QR website says "if you exists in our systems you will now get a link by email that will authenticate you and take you to a web page to deal with the password recovery"
4. Said link arrives by email
5. You click it and you input your new password.
Now... if it had only been limited to this stupidity. Next up, once you go to input your password they have gone to extensive lengths to disable pasting of passwords. This means if you use a password manager and want to paste in your 24 character unique password, it can't be done. It has to be keyed in by hand. Twice. Guess what 99% of people do? Hint: it involes typing in bad passwords that shouldn't be used.
Bad QR!
Meh,
A
#4
Original Poster
Join Date: Dec 2002
Programs: QR Plat
Posts: 2,416
Also, I saw somone in the security industry that lurks here did a tweet with a link to this thread to get QRs attention. They acted swiftly and resolutely, and told him how important he was and please send emails to [email protected].
-A
#6
Join Date: Mar 2000
Posts: 935
Most airlines print the PNR and the pax name on the baggage tag. They get ripped off and people throw them in the bins at airports; this allows a very easy access to their bookings on airlines' websites and call centres for that matter.
#7
Original Poster
Join Date: Dec 2002
Programs: QR Plat
Posts: 2,416
And this lunacy comes back to bite. Something is causing QR so flag my account as needing password reset and I have yet again to deal with this non-paste crap to get back into my account.
Off to Cathay Pacific to find alternatives. This is just moronic.
-A
Off to Cathay Pacific to find alternatives. This is just moronic.
-A
#8
Original Poster
Join Date: Dec 2002
Programs: QR Plat
Posts: 2,416
And back on this. Third time in a few weeks the account has been locked up. All I wanted was to spend my miles. My next two longhauls are on CX and BA. Sent email to [email protected] to let them know how this just annoys people and doesn't accomplish anything securitywise.
-A
-A
#9
Original Poster
Join Date: Dec 2002
Programs: QR Plat
Posts: 2,416
I'm done with QR and "customer service". I've spent some days back and forth on email trying to explain the issue to them, and all I get back is: "Well, if you can't type your own password 10 times we have to lock your account for safety reasons....".
-A
-A