Even anyone with the most rose tinted specs would have difficulty pinning this on anyone but QF.
Yeah, I have a few more thoughts on this;I've got experience in this domain and I think you've nailed it. Absolutely reeks of a misconfigured cache and explains why people with trips/boarding passes for today seem to be the ones who were disproportionately exposed as they would have used the app very recently and their data would be fresh in the cache. The QF media release alludes to the fact that it wouldn't have been possible to perform actions such as transferring points... so it doesn't sound like the API endpoints were allowing users to perform actions against other accounts (known as "horizontal privilege escalation") other than changing seats (because you only need a PNR + last name which was in the exposed data anyway) which further supports the theory. Great post
I think this is unlikely since it's the Qantas Loyalty system that's serving up this data. Maybe if the issue was limited to Manage My Booking etc., then it could be Amadeus etc.
I just tried "Manage Booking" in the app and it directed me to a "semi" authenticated view of MMB. It didn't log me into my QFF account but it showed me the same view that I would see if I just use the PNR/last name to manage my booking rather than logging in. If this was possible to do for other people's bookings today, then there is more data than just "name, upcoming flight details, points balance and status" that QF mentioned in their media release that would have been exposed to others. The semi-authenticated MMB view also shows e-mail, phone number, APIS details including DOB and passport number (if completed) and also allows you to cancel/change flights in some instances.
This is an interesting one - as this kind of issue is driven from the backend side of things and you'd think both Android and iOS versions of the QF app would be sharing a common backend thus both impacted but may not be the case.
100% - if this is a caching issue the flood of users logging into check would have exasperated the issue and put those users at risk as well.
Also agree with this. QF have their own backend for their app - its not developed by Amadeus like MMB is.
I think they just mean they have the normal "how we are supposed to check domestic passengers" routine that unofficially means someone else can be flying in your name even if its illegal.
I'd be surprised if you need a full authentication for MMB. I mean you can alter anyones MMB with just PNR and surname online from the MMB page. They never needed more than that.
Almost no chance. This is in-app and not even everyone. Clearly something was pushed to one version of the app overnight.
I just tested this further with a couple of my bookings. It seems like bookings made with points you can cancel without being logged in but you need to log in to make changes. However for cash bookings, MMB will let you change and cancel the flight even if not logged in.
Struggling to use your Frequent Flyer Points?
Frequent Flyer Concierge takes the hard work out of finding award availability and redeeming your frequent flyer or credit card points for flights.
Using their expert knowledge and specialised tools, the Frequent Flyer Concierge team at Frequent Flyer Concierge will help you book a great trip that maximises the value for your points.
It can take some time for something like that to be acknowledged before some are empowered to take action.
That’s an interesting point. Wonder if there’s any pattern as to which version/build of the app was affected?
Perhaps @RooFlyer this was caused by your mates at QR still sore about being denied extra capacity into Australia?
Plus change management procedures can be a biatch at times...
Sample AFF with no advertisements? More..
