Need to alert Disney's IT department of MAJOR SECURITY glitch

Discussion in 'Theme Parks Attractions and Strategies' started by *I'msoooBelle*, Oct 3, 2018.

Thread Status:
Not open for further replies.
  1. *I'msoooBelle*

    *I'msoooBelle* Mouseketeer

    Joined:
    Jul 7, 2016
    Messages:
    198
    Does anyone know where I can report a major security glitch that I just experienced with MDE?

    I just posted to another thread the following:

    I'm concerned. I just logged into my MDE account via my desktop. I was updating the avatars for my family members who lost theirs with the update. When I went back to the home profile page, it had my name "XXXX' plan's" but it was the itinerary of a large family that is completely unknown to me. I was able to see their resort reservations, dining reservations, fast passes, confirmation numbers, the amount left to pay, etc. I'm completely unsettled. If I was taken to this family's MDE account, that most certainly means that someone can have access to mine. I signed out and logged back in and its back to my profile with my information. This is major. My mind is spinning at the moment... I need to report this to Disney IT, does anyone know what their email address is?
     
    MicroBeta and vinotinto like this.
  2. matheke

    matheke DIS Veteran

    Joined:
    Dec 18, 2001
    Messages:
    1,142
    (407) 939-4357. I have seen this number a hundred times in the last couple of days with all the MDE problems.
     
    vinotinto likes this.
  3. Avatar

    Advertisement


  4. *I'msoooBelle*

    *I'msoooBelle* Mouseketeer

    Joined:
    Jul 7, 2016
    Messages:
    198
    This chilled me to the bone. This is the first time I experience something like that with the application. Disney's IT have to deploy software patches immediately. The fact that my family's information is not secured and can be exposed is unsettling.
     
    MicroBeta and AnnaKat like this.
  5. ashm

    ashm Earning My Ears

    Joined:
    Jun 18, 2017
    Messages:
    16
    I had the same thing happen to me! I logged in to my account to make a dining reservation, and it was my account, but with a different family's information!
     
    AnnaKat likes this.
  6. js

    js Been around since before the disboards 90s crash

    Joined:
    Jan 18, 2000
    Messages:
    6,639
    This happened to me too about a year ago and thought it was a fluke but now see it isn't and we are an extremely small spec of those that go to Disney and use MDE so I can only now imagine how widespread this may be. Their site now is not only awful, but also not so secure.
     
    karensi, Searc, Madame and 1 other person like this.
  7. Klayfish

    Klayfish DIS Veteran

    Joined:
    May 19, 2016
    Messages:
    6,782
    I'm going to guess they're already aware, but you can certainly call them. Guess everyone handles it differently, but I don't think it's THAT big of a deal. There are worse things than someone being able to see my reservations at WDW.
     
    KateMW, JediBonas, tiki23 and 22 others like this.
  8. AngiTN

    AngiTN DIS Veteran

    Joined:
    Mar 7, 2011
    Messages:
    22,506
    Without a doubt. If I'd logged in to see someone else's account on my bank app or credit card app, that would chill me to the bone.
    Disney stuff, eh. I'd shoot them a phone call, or email if there is one, and move on. But I guess I am missing something to be worried about. Or at least have way bigger things I do worry about so no room left for more, LOL We all got our limits and I'm past mine anymore.
     
  9. Jennasis

    Jennasis DIS life goes on

    Joined:
    Jun 11, 2000
    Messages:
    30,589
    It's not just your reservations they could potentially see...but credit card info, address, phone number, travel dates etc. And could someone potentially mess with someone else's reservation? Bottom line is that it is a security breach.
     
  10. AngiTN

    AngiTN DIS Veteran

    Joined:
    Mar 7, 2011
    Messages:
    22,506
    Shows you that it's happened for a long time. And still, no security issues abounding out there, where strangers are booking rooms, FP, etc in someone's account. Seeing info and using it, (as in booking a room), 2 different things. The fact that OP signed out and back in and it was gone means they aren't crossed permanently. It was a fluke. Not to say that it shouldn't happen (it shouldn't!) simply that it seems there is not any harm can come from it when it does.
     
    jeff_h and Klayfish like this.
  11. AngiTN

    AngiTN DIS Veteran

    Joined:
    Mar 7, 2011
    Messages:
    22,506
    You don't know that. Seeing a list of reservations does not provide a credit card number. Folks with shared reservations can't access credit card numbers. It sounds like a breach in the linking of account friends and family lists (something that MDE has been horrible with since day 1) not a breach in accounts themselves. Linked MDE accounts for sharing resorts, FP, ADR, etc is just a nightmare and why I've forbid DH from opening his own account.
     
    jeff_h, maxiesmom, Minnesota! and 7 others like this.
  12. Magpie

    Magpie DIS Veteran

    Joined:
    Oct 27, 2007
    Messages:
    10,621
    If it was a loophole that could be deliberately exploited, say by someone in my town looking to find out which homes are going to be empty over certain periods of time (though they'd be disappointed with us, as our dog sitter lives in the house when we're gone), then that might be concerning. But that doesn't appear to be the case.

    And if you could see full credit card numbers, that'd also be worrying. But, every time I try to open a page that takes me to that info, Disney makes me sign in again. So, I rather doubt you could harvest much in the way of actually useful data. It sounds like all they got was the "my plans" page of MDE.

    So, basically, the glitch appears to be randomly linking a few vacationers, as "Friends and Family". And, frankly, it doesn't worry me if you (as some random person) see my vacation plans. There's not much you can do, because the site will ask you to log in again, and you don't know my email or password. Even if you were able to cancel my Slinky Dog FP, I'd expect Disney to make it right.

    You're going to be way more interested in getting your info back, than in trying to mess with mine. We both have vacations to plan!

    That said, certainly Disney should be contacted and made aware. I just agree that there's no reason to panic.
     
  13. StacyStrong

    StacyStrong DIS Veteran

    Joined:
    May 8, 2018
    Messages:
    925
    I would never allow someone to manage all my plans because I don't travel with the same people all the time. You're lucky that that works for you.
     
  14. StacyStrong

    StacyStrong DIS Veteran

    Joined:
    May 8, 2018
    Messages:
    925
    I don't care if someone knows my basic Disney plans. What I do care about is the fact that it's possible for people to know my plans without my consent. This is a security glitch we ARE aware of. What security holes DON'T we know about? If they are so careless with what IS customer facing, I'm not exactly confident in how they treat data that isn't customer facing.
     
  15. Jennasis

    Jennasis DIS life goes on

    Joined:
    Jun 11, 2000
    Messages:
    30,589
    You have more faith in their IT than I do LOL. If it had happened to me, I would have called IT immediately as well.
     
  16. AnnaKat

    AnnaKat Mouseketeer

    Joined:
    May 26, 2015
    Messages:
    438
    Could they cancel all your reservations?!?! How is that not a big deal?!?!
     
    vinotinto likes this.
  17. Magpie

    Magpie DIS Veteran

    Joined:
    Oct 27, 2007
    Messages:
    10,621
    I don't know if they could, since Disney annoyingly seems to make you log in again whenever you try to do anything on their site. (I only walked away for FIVE minutes! Why is my session expired???)

    But even if they could... Why would they?

    If you opened up a page to see someone else's plans listed, would you immediately emit a villainous laugh and start trying to cancel their reservations? I know I wouldn't. I'd do what anyone else would do... comment, "Oh, that's weird," and log out and log in again, looking for MY plans. Then I'd fire a note off to Disney about it, with all the relevant details (browser type, computer, time, etc).
     
    Kailani6, AmyA, serenitygr and 3 others like this.
  18. bumbershoot

    bumbershoot DIS Veteran

    Joined:
    Mar 5, 2007
    Messages:
    67,142
    She was only saying she manages her husband’s account. I would assume that he doesn’t go to Disney without her. That’s how it was in my marriage. He didn’t go on his own. I did. So it made no sense to have him have his own MDE.
     
    Aerodyne78 and bookbabe626 like this.
  19. Skywise

    Skywise DIS Veteran

    Joined:
    Jul 24, 2013
    Messages:
    2,872
    So glad they outsourced this.

    It's obvious they're reusing IDs somewhere which no longer point to the right info (either via cookies or session id) Displaying personal information from a cloud site via token ID is BASIC software engineering these days.

    I'm sure their credit card system is working perfectly though...
     
    Last edited: Oct 5, 2018
    Searc, Toolulu22, lambdabeta and 3 others like this.
  20. Magpie

    Magpie DIS Veteran

    Joined:
    Oct 27, 2007
    Messages:
    10,621
    My husband and I only have one account for our family, as well. I expect most families would, unless they regularly take separate trips to Disney?

    If our son decides, someday, to take his girlfriend to Disney and pay for the trip himself, then I expect he'd create his own account at that point. He'd need one, since we wouldn't be arranging accommodations or payment for him (the way we do on family trips).
     
    North of Mouse and Figmentmommy like this.
  21. StacyStrong

    StacyStrong DIS Veteran

    Joined:
    May 8, 2018
    Messages:
    925
    Right. And I'm saying that's lucky. I wouldn't be able to.
     

Thread Status:
Not open for further replies.

Share This Page