Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > Qatar Airways | Privilege Club
Reload this Page >

Harebrained security change on the webpages

Harebrained security change on the webpages

Old Mar 27, 2019, 5:29 am
  #1  
Original Poster
 
Join Date: Dec 2002
Programs: QR Plat
Posts: 2,416
Harebrained security change on the webpages

I discovered that recently QR and other airlines are starting to make changes to their web pages. There's extensive use of captchas for browsers that deny them extensive tracking and finger printing, and now I had to reset my password and disocvered QR has really done something outright stupid. The process to reset your password is now this:

1. Click the link to say you need to reset password.
2. Input your email/membership number.
3. QR resets your password and mails you a temporary password.

In case this obvious, that means someone can perform a nice DoS on the whole customer base by simply requesting resets done for random users.

The right way is this:
1. Click the link to say you need to reset password.
2. Input your email/membership number.
3. QR website says "if you exists in our systems you will now get a link by email that will authenticate you and take you to a web page to deal with the password recovery"
4. Said link arrives by email
5. You click it and you input your new password.

Now... if it had only been limited to this stupidity. Next up, once you go to input your password they have gone to extensive lengths to disable pasting of passwords. This means if you use a password manager and want to paste in your 24 character unique password, it can't be done. It has to be keyed in by hand. Twice. Guess what 99% of people do? Hint: it involes typing in bad passwords that shouldn't be used.

Bad QR!

Meh,
A
mpkz and florin like this.
ph-ndr is offline  
Old Mar 27, 2019, 9:24 am
  #2  
 
Join Date: Jan 2014
Posts: 2,674
Pay peanuts, get monkeys - applies to almost everything QR does except inflight service
Traveller999, NoY and florin like this.
mpkz is offline  
Old Apr 1, 2019, 5:01 am
  #3  
 
Join Date: Jan 2014
Posts: 2,674
Just failed to login (I think it's because I have noscript, but not sure) because of their stupid captcha protection. What a useful invention, I'm sure people are spamming their login page with requests.
mpkz is offline  
Old Apr 1, 2019, 5:17 am
  #4  
Original Poster
 
Join Date: Dec 2002
Programs: QR Plat
Posts: 2,416
Originally Posted by mpkz
Just failed to login (I think it's because I have noscript, but not sure) because of their stupid captcha protection. What a useful invention, I'm sure people are spamming their login page with requests.
I spoke to someone elsewhere in the industry and they told me that on average 80% of attempted logins are from sources that aren't the account's actual owners. I'm sure the scammers are delighted by these changes.

Also, I saw somone in the security industry that lurks here did a tweet with a link to this thread to get QRs attention. They acted swiftly and resolutely, and told him how important he was and please send emails to [email protected].

-A
ph-ndr is offline  
Old Apr 1, 2019, 11:00 am
  #5  
Suspended
 
Join Date: Jun 2018
Posts: 74
This is also possible to access to someone bookings with just QRPC number and last name which is I think pretty poor in terms of security....
​​​​​
flyertalker09567 is offline  
Old Apr 1, 2019, 7:19 pm
  #6  
R2
 
Join Date: Mar 2000
Posts: 935
Originally Posted by Tom_D
This is also possible to access to someone bookings with just QRPC number and last name which is I think pretty poor in terms of security....
​​​​​
Most airlines print the PNR and the pax name on the baggage tag. They get ripped off and people throw them in the bins at airports; this allows a very easy access to their bookings on airlines' websites and call centres for that matter.
R2 is offline  
Old Apr 24, 2019, 6:10 am
  #7  
Original Poster
 
Join Date: Dec 2002
Programs: QR Plat
Posts: 2,416
And this lunacy comes back to bite. Something is causing QR so flag my account as needing password reset and I have yet again to deal with this non-paste crap to get back into my account.

Off to Cathay Pacific to find alternatives. This is just moronic.

-A
ph-ndr is offline  
Old Jun 16, 2019, 4:15 pm
  #8  
Original Poster
 
Join Date: Dec 2002
Programs: QR Plat
Posts: 2,416
And back on this. Third time in a few weeks the account has been locked up. All I wanted was to spend my miles. My next two longhauls are on CX and BA. Sent email to [email protected] to let them know how this just annoys people and doesn't accomplish anything securitywise.

-A
NoY likes this.
ph-ndr is offline  
Old Jun 18, 2019, 10:47 pm
  #9  
Original Poster
 
Join Date: Dec 2002
Programs: QR Plat
Posts: 2,416
I'm done with QR and "customer service". I've spent some days back and forth on email trying to explain the issue to them, and all I get back is: "Well, if you can't type your own password 10 times we have to lock your account for safety reasons....".

-A
NoY likes this.
ph-ndr is offline  

Thread Tools
Search this Thread

Contact Us - Manage Preferences - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service -

This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.