_______ __ _______ | |
| | |.---.-..----.| |--..-----..----. | | |.-----..--.--.--..-----. | |
| || _ || __|| < | -__|| _| | || -__|| | | ||__ --| | |
|___|___||___._||____||__|__||_____||__| |__|____||_____||________||_____| | |
on Gopher (inofficial) | |
Visit Hacker News on the Web | |
COMMENT PAGE FOR: | |
Qantas app data breach allows customers to access strangers' booking details | |
ec109685 wrote 6 hours 9 min ago: | |
PII data should be stored in encrypted form with tightly controlled | |
keys. | |
Web servers should decrypt on an as needed basis by exchanging user | |
cookies / token for decryption keys. | |
That prevents having âgodâ servers in the frontend serving path | |
that are a malformed sql query away from exposing all data. | |
contingencies wrote 8 hours 24 min ago: | |
Perhaps a whole integer session key value store combined with some form | |
of refresh or update leading to user/session mismatches. | |
dools wrote 9 hours 11 min ago: | |
This isnât really a data breach, itâs a bug in the app. And it | |
didnât âallow people to access strangers detailsâ it showed each | |
person the wrong details after they logged in. Like you couldnât then | |
pick another person and view their details you were just logged into | |
the wrong account. Still pretty dumb, but also pretty dumb reporting. | |
But then itâs 7 news so ⦠| |
Narkov wrote 8 hours 5 min ago: | |
> This isnât really a data breach, | |
This is totally a data breach. Show another customers data to a | |
random person = data breach. People had access to valid boarding | |
passes for flights they had no right to board. | |
> itâs a bug in the app. | |
Generally, bugs are responsible for most data breaches. | |
> And it didnât âallow people to access strangers detailsâ it | |
showed each person the wrong details after they logged in. | |
You are downplaying the incident here. "Strangers" definitely did | |
"access" other peoples' information. Just because it wasn't malicious | |
doesn't mean data hasn't been breached. | |
dools wrote 7 hours 13 min ago: | |
> This is totally a data breach. Show another customers data to a | |
random person = data breach. | |
Yep you're right, legal definition of a data breach includes | |
"someoneâs personal information is sent to the wrong person." [1] | |
> Generally, bugs are responsible for most data breaches. | |
Sometimes. I don't think you could call all security | |
vulnerabilities bugs. In this case, it was a bug that showed people | |
the wrong flight details. | |
> You are downplaying the incident here. "Strangers" definitely did | |
"access" other peoples' information. Just because it wasn't | |
malicious doesn't mean data hasn't been breached. | |
Well I'm downplaying from the over sensationalised (in my opinion) | |
language in the article. Strangers saw the wrong person's flight | |
details so access was given to that information, but the way it's | |
worded makes it sound as though a stranger was able to pick a | |
person and view their information, or download a bunch of | |
information and view it. | |
To me, seeing one other person's flight details when you login is | |
far less dramatic. Like the headline here could refer to a | |
vulnerability in their system which enabled me to, say, vary a | |
query parameter or change the email in settings to any email and | |
then see that person's flight details. | |
The case is more like accidentally sending a text message to | |
someone with the wrong flight details and allowing them to reply Y | |
or N to confirm the flight. | |
If the headline said "Bug in Qantas app shows people the wrong | |
flight details" (which I think is a much more accurate description | |
of what happened) we probably wouldn't be having this discussion | |
and 7news would have missed out on about 100k hits (although to be | |
fair the HN crowd is probably pretty skewed towards using ad | |
blockers ... ) | |
[1]: https://www.oaic.gov.au/privacy/your-privacy-rights/data-b... | |
NoPicklez wrote 8 hours 56 min ago: | |
It's a bug in the app which has caused a data breach unintendedly | |
But it is not a wide scale data breach caused my a malicious person | |
no | |
chii wrote 8 hours 31 min ago: | |
i think they should've used the word "leak" rather than breach. | |
Breach assumes intentional actor. | |
NoPicklez wrote 7 hours 42 min ago: | |
I agree "leak" is probably the better term | |
justinclift wrote 9 hours 12 min ago: | |
Sounds like an incorrectly scoped WHERE (or maybe even JOIN?) on a SQL | |
query. | |
Plus inadequate (automatic) testing, that should have caught the | |
problem before it was committed to the main development tree. | |
selalipop wrote 9 hours 0 min ago: | |
Sounds more like a typical caching issue than anything | |
spondyl wrote 8 hours 37 min ago: | |
Yeah, it sounds pretty identical to a caching issue that happened | |
to Steam way back on Christmas Day of 2015: | |
[1]: https://store.steampowered.com/oldnews/19852 | |
lathiat wrote 8 hours 26 min ago: | |
Yep, plenty of these that have come up over time. Can't think of | |
the names of them at this point but I am sure I recall at least | |
5+ incidents of exactly this caused by incorrect caching. | |
justinclift wrote 8 hours 54 min ago: | |
Good point, yeah that would do it too. | |
<- back to front page |