United website breach let fliers see each others' private data

[Permalink]

ā€œUnitedā€

Now thereā€™s your first problem.

4 Likes

Ooh, only $44 dollars to get access to my nationā€™s head of state?

Wait, isnā€™t revealing a security flaw a felony now? Iā€™m surprised the SWAT team hasnā€™t already come for her.

1 Like

Thanks for the heads-up, @RHD, weā€™ve fixed the problem with that image.

2 Likes

Canā€™t reduce the screenshot size when sending email? Thatā€™s oddā€¦ my walled-garden iPhone has that feature built into its photo email function. I use it frequently. Perhaps she should chat with the writer of her phoneā€™s OS.

Oh, and United is rumored to suck. I donā€™t fly them.

WRT being able to request multi-thousand-dollar upgrades for strangers, looks like you werenā€™t able to for any of those legs shown ā€“ ā€˜Upgrade not offeredā€™. Last pic, according to FlightAware the equipment for this sector on this date was an E120. SeatGuru shows it with economy class only, so obviously nothing to upgrade in to. And then thereā€™s the small matter of paying for it.

What you are looking at here is a caching error. A well meaning administrator has accidentally caused per-user pages to be cached and re-served to subsequent users.

Sure, you were looking at the wrong content, but didnā€™t you notice how quickly it was served?

6 Likes

That was my first thought, too. I caused a problem like this the first time I put a web app behind a CDN. Fortunately for me it was just a small test platform. I can only imagine the epic sphincter winking that some poor geek at United experienced. I wonder if theyā€™ve recovered the rest of his Aeron yetā€¦

2 Likes

Agreed

Went to sign on @ United, and I get this: ā€œusername and email sign-on are currently unavailable.ā€ Hmmmmā€¦

Iā€™m not sure that the legislation covering data beaches is pertinent here, a brief look suggests it includes soc sec, driving licence or credit card numbers.

Yep, I got that too. After a couple of days I finally figured out that what they mean is that you canā€™t sign in with your username or email address as the login name, instead you have to use your frequent flyer number. Why they canā€™t just say that is a mystery to me, but as a recently very frequent flyer with them I have quickly learned to expect chaos in everything they do.

Good thing I didnā€™t need to do anything important that day, otherwise Iā€™d probably be able to run down the hold music playlist for youā€¦

One of two features on which Apple continues to nail it. (The other being how it handles swapping multiple phone calls).

Itā€™s really a shame that United operates almost a quarter of the flights at the largest regional airport. We donā€™t qualify for Essential Air, so itā€™s legacies or JetBlue at 150% the price of the legacies (Iā€™ll gladly pay that penalty any day).

I ended up calling them bc I didnā€™t have a membership and have prior reservations that were made without a membership. I was concerned that the reservations would be lost in the system, so called them to transfer the reservation to a newly made account. I have the app on my phone which is very convenient and used it for the holiday travels. Unfortunately, even that required membership account login. I donā€™t recall ever getting information that I was required to have a membership. You win, United :frowning:

This topic was automatically closed after 5 days. New replies are no longer allowed.