Need to alert Disney's IT department of MAJOR SECURITY glitch

[Happy2BMommy0812]

That is strange. We recently had a weird issue too. Hubby went to activate his annual pass certificate and they asked for his magic band. When they scanned it it came up as the name of someone else with all of that person’s info. The ticket lady all but accused us of stealing someone else’s band. I had to show her how my husbands name was personalized inside. She finally scanned it again, hesitantly, and my hubbys info showed up.

 

[MicroBeta]

That is strange. We recently had a weird issue too. Hubby went to activate his annual pass certificate and they asked for his magic band. When they scanned it it came up as the name of someone else with all of that person’s info. The ticket lady all but accused us of stealing someone else’s band. I had to show her how my husbands name was personalized inside. She finally scanned it again, hesitantly, and my hubbys info showed up.

Holy Bleep!

What the heck is Disney's system doing. If they can't get the right data on their end it just might be a bigger problem than I originally thought.

Mike

 

[MicroBeta]

It's virtually impossible to know which session you'd see if/when you timed it just right to be shown another session's information. So while it is true that there is a serious data exposure issue, it's still highly unlikely you'd be able to correlate it with someone you know.

I’m not sure what the point this is making but this is kinda irrelevant to the issue at hand. I doubt there will be any problems for the average person being fed another person’s data. The real worry is a hacker eventually exploiting the security hole.

That other random person just happens to be logged in at the same time on a different server. Next time it'll be a totally different random person's info.

How do you know that the random account that someone sees is someone “happens to be logged in at the same time on a different server”?

Mike

 

[ScubaCat]

How do you know that the random account that someone sees is someone “happens to be logged in at the same time on a different server”?

Because they use F5 BigIP load balancers, and the client persistence cookie times out well before the configured server session timeout is lapsing (viewable in your browser debugger). Last I checked, they don't even have cookie encryption turned on, which reveals the internal IP and port of the server you're connected to.

Everyone with me still?

 

[snappy]

Because they use F5 BigIP load balancers, and the client persistence cookie times out well before the configured server session timeout is lapsing (viewable in your browser debugger). Last I checked, they don't even have cookie encryption turned on, which reveals the internal IP and port of the server you're connected to.

Everyone with me still?

Sounds like Disney IT should hire you.

 

[MicroBeta]

Because they use F5 BigIP load balancers, and the client persistence cookie times out well before the configured server session timeout is lapsing (viewable in your browser debugger). Last I checked, they don't even have cookie encryption turned on, which reveals the internal IP and port of the server you're connected to.

Everyone with me still?

I get what your saying but that doesn't explain why a random account is fed to someone else or why when a CM is scanning a magicband in the park and someone else's account comes up.

If it were just a matter of randomly seeing other accounts that would be one thing. But, when taken with wrong and missing data in MDE seems to indicate something else. Especially when the guest sees canceled/missing ADRs and, when called, a CM sees the same thing. That is unless you know of some way persistence cookies can cause the same data issues whether viewed by the guest or a CM.

On a side note, I wonder what would happen if someone purchases something in the park with their magicband and it gets charged to different account.

Mike

 

[ScubaCat]

I get what your saying but that doesn't explain why a random account is fed to someone else or why when a CM is scanning a magicband in the park and someone else's account comes up.

If it were just a matter of randomly seeing other accounts that would be one thing. But, when taken with wrong and missing data in MDE seems to indicate something else. Especially when the guest sees canceled/missing ADRs and, when called, a CM sees the same thing. That is unless you know of some way persistence cookies can cause the same data issues whether viewed by the guest or a CM.

On a side note, I wonder what would happen if someone purchases something in the park with their magicband and it gets charged to different account.

Mike

With all due respect, do you understand how browser based sessions work, what a primary key is, session token, etc? Do you know what a persistence cookie is with regards to a middlebox load balancer? If so, open your browser debugger when you're logged in to MDE and you'll see pretty quickly how that happens. It has nothing to do with magicband charges, bookings, or anything like that.

At this point, I don't think further explanation is really within scope of this thread (or is relevant to this forum, really). Sorry if this isn't sufficient.

Sounds like Disney IT should hire you.

I worked at a Disney store in high school (early 90s). I learned one thing - that working for Disney is not the greatest!!

 

[GADisneyDad14]

At this point OP’s question has been thoroughly discussed and this thread has moved beyond being applicable to theme park attractions and strategies, so closing. Thanks all.