-
It seems like BA may have a security hole with how their website handles login sessions.
I logged in to BA site using an incognito window, booked an avios flight. Manually enter the passenger names so it doesnt auto populate BAEC number, then log out.
Player 2 logs in, their name is displayed on the page and upon going into acct page their baec number and points balance are displayed.
Player 2 then books an avios flight and again manually enters passenger names.
At the payment stage, it has already populated the email address with my email address rather than player 2s.
Upon completing the booking, when it displays the PNR and the name of the person booking, it displays my full name, which only exists within my BA acct and wasnt entered on either booking so it shouldnt be able to display that unless its still accessing my acct.
Return to home page, still shows player 2s name.
Go to manage bookings, and it has pre-populated my BAEC number on the booking and is displaying my baec number and points balance at the top of the page.
Return to home page, it shows player 2s details.It appears that it has retained the session info from my login, even tho the acct had been logged out and a totally different acct was then logged in to.
BA seem to have made it as difficult as possible to find recent transactions on the website, burying it in ‘membership’, then ‘statements’ but when checked, theres no transaction for the flight player 2 just booked.
So I log in to my acct on the app and, as expected, it shows both flights as having deducted points from my account, even tho the acct had been logged out of after the first booking and a different account then logged in to before the second booking.
That.. shouldnt happen.
Oh and more comedy BA website security.
While typing the above, I had a session logged in on a different browser that when I switched back to had timed out and was displaying a message saying I’d been logged out for security. Press ok. It returns to the homepage and my name is still displayed, click on it and it shows all of my acct details. Logged out? Interesting
I had thought this previously, but it appears that they have two different platforms running on their website and whatever SSO links the two is junk. The first seems to be a layer on the website, which presumably gives access to basic acct details, then theres a second layer which is the login used for booking and retrieving flight info. If I were to guess, the logout button is only terminating the website login which is why the backend was still taking my details while the timeout message is actually the back end timing out while the website session remain logged in. Or something like that.
Either way, not good enough.
Isn’t BA just remembering details P2 used for a previous booking? For a long time, my booking confirmations and edit confirmations were being sent to my OH as I’d not spotted BA had used her email address instead of mine for the booking.
And the points deduction for you is normal for a household account, but are you saying P2 had no Avios deducted?
Sorry if I am being a bit dense, but I’m struggling to follow the path taken.
But I’ve seen the account name still showing after logout too. Some caching happening perhaps? I guess anything new would fail as the token for the backend would have expired. Well, you can hope.
- You must be logged in to reply to this topic.
Popular articles this week:
