United website breach let fliers see each others' private data

[Permalink]

“United”

Now there’s your first problem.

4 Likes

Ooh, only $44 dollars to get access to my nation’s head of state?

Wait, isn’t revealing a security flaw a felony now? I’m surprised the SWAT team hasn’t already come for her.

1 Like

Thanks for the heads-up, @RHD, we’ve fixed the problem with that image.

2 Likes

Can’t reduce the screenshot size when sending email? That’s odd… my walled-garden iPhone has that feature built into its photo email function. I use it frequently. Perhaps she should chat with the writer of her phone’s OS.

Oh, and United is rumored to suck. I don’t fly them.

WRT being able to request multi-thousand-dollar upgrades for strangers, looks like you weren’t able to for any of those legs shown – ‘Upgrade not offered’. Last pic, according to FlightAware the equipment for this sector on this date was an E120. SeatGuru shows it with economy class only, so obviously nothing to upgrade in to. And then there’s the small matter of paying for it.

What you are looking at here is a caching error. A well meaning administrator has accidentally caused per-user pages to be cached and re-served to subsequent users.

Sure, you were looking at the wrong content, but didn’t you notice how quickly it was served?

6 Likes

That was my first thought, too. I caused a problem like this the first time I put a web app behind a CDN. Fortunately for me it was just a small test platform. I can only imagine the epic sphincter winking that some poor geek at United experienced. I wonder if they’ve recovered the rest of his Aeron yet…

2 Likes

Agreed

Went to sign on @ United, and I get this: “username and email sign-on are currently unavailable.” Hmmmm…

I’m not sure that the legislation covering data beaches is pertinent here, a brief look suggests it includes soc sec, driving licence or credit card numbers.

Yep, I got that too. After a couple of days I finally figured out that what they mean is that you can’t sign in with your username or email address as the login name, instead you have to use your frequent flyer number. Why they can’t just say that is a mystery to me, but as a recently very frequent flyer with them I have quickly learned to expect chaos in everything they do.

Good thing I didn’t need to do anything important that day, otherwise I’d probably be able to run down the hold music playlist for you…

One of two features on which Apple continues to nail it. (The other being how it handles swapping multiple phone calls).

It’s really a shame that United operates almost a quarter of the flights at the largest regional airport. We don’t qualify for Essential Air, so it’s legacies or JetBlue at 150% the price of the legacies (I’ll gladly pay that penalty any day).

I ended up calling them bc I didn’t have a membership and have prior reservations that were made without a membership. I was concerned that the reservations would be lost in the system, so called them to transfer the reservation to a newly made account. I have the app on my phone which is very convenient and used it for the holiday travels. Unfortunately, even that required membership account login. I don’t recall ever getting information that I was required to have a membership. You win, United :frowning:

This topic was automatically closed after 5 days. New replies are no longer allowed.