Need to alert Disney's IT department of MAJOR SECURITY glitch

Status
Not open for further replies.

*I'msoooBelle*

Mouseketeer
Joined
Jul 7, 2016
Does anyone know where I can report a major security glitch that I just experienced with MDE?

I just posted to another thread the following:

I'm concerned. I just logged into my MDE account via my desktop. I was updating the avatars for my family members who lost theirs with the update. When I went back to the home profile page, it had my name "XXXX' plan's" but it was the itinerary of a large family that is completely unknown to me. I was able to see their resort reservations, dining reservations, fast passes, confirmation numbers, the amount left to pay, etc. I'm completely unsettled. If I was taken to this family's MDE account, that most certainly means that someone can have access to mine. I signed out and logged back in and its back to my profile with my information. This is major. My mind is spinning at the moment... I need to report this to Disney IT, does anyone know what their email address is?
 

matheke

DIS Veteran
Joined
Dec 18, 2001
(407) 939-4357. I have seen this number a hundred times in the last couple of days with all the MDE problems.
 

*I'msoooBelle*

Mouseketeer
Joined
Jul 7, 2016
This chilled me to the bone. This is the first time I experience something like that with the application. Disney's IT have to deploy software patches immediately. The fact that my family's information is not secured and can be exposed is unsettling.
 
  • ashm

    Earning My Ears
    Joined
    Jun 18, 2017
    I had the same thing happen to me! I logged in to my account to make a dining reservation, and it was my account, but with a different family's information!
     

    js

    Been around since before the disboards 90s crash
    Joined
    Jan 18, 2000
    Does anyone know where I can report a major security glitch that I just experienced with MDE?

    I just posted to another thread the following:

    I'm concerned. I just logged into my MDE account via my desktop. I was updating the avatars for my family members who lost theirs with the update. When I went back to the home profile page, it had my name "XXXX' plan's" but it was the itinerary of a large family that is completely unknown to me. I was able to see their resort reservations, dining reservations, fast passes, confirmation numbers, the amount left to pay, etc. I'm completely unsettled. If I was taken to this family's MDE account, that most certainly means that someone can have access to mine. I signed out and logged back in and its back to my profile with my information. This is major. My mind is spinning at the moment... I need to report this to Disney IT, does anyone know what their email address is?
    This happened to me too about a year ago and thought it was a fluke but now see it isn't and we are an extremely small spec of those that go to Disney and use MDE so I can only now imagine how widespread this may be. Their site now is not only awful, but also not so secure.
     

    Klayfish

    DIS Veteran
    Joined
    May 19, 2016
    This chilled me to the bone. This is the first time I experience something like that with the application. Disney's IT have to deploy software patches immediately. The fact that my family's information is not secured and can be exposed is unsettling.
    I'm going to guess they're already aware, but you can certainly call them. Guess everyone handles it differently, but I don't think it's THAT big of a deal. There are worse things than someone being able to see my reservations at WDW.
     

    AngiTN

    DIS Veteran
    Joined
    Mar 7, 2011
    I'm going to guess they're already aware, but you can certainly call them. There are worse things than someone being able to see my reservations at WDW.
    Without a doubt. If I'd logged in to see someone else's account on my bank app or credit card app, that would chill me to the bone.
    Disney stuff, eh. I'd shoot them a phone call, or email if there is one, and move on. But I guess I am missing something to be worried about. Or at least have way bigger things I do worry about so no room left for more, LOL We all got our limits and I'm past mine anymore.
     
  • Jennasis

    DIS life goes on
    Joined
    Jun 11, 2000
    I'm going to guess they're already aware, but you can certainly call them. There are worse things than someone being able to see my reservations at WDW.
    It's not just your reservations they could potentially see...but credit card info, address, phone number, travel dates etc. And could someone potentially mess with someone else's reservation? Bottom line is that it is a security breach.
     

    AngiTN

    DIS Veteran
    Joined
    Mar 7, 2011
    This happened to me too about a year ago and thought it was a fluke but now see it isn't and we are an extremely small spec of those that go to Disney and use MDE so I can only now imagine how widespread this may be. Their site now is not only awful, but also not so secure.
    Shows you that it's happened for a long time. And still, no security issues abounding out there, where strangers are booking rooms, FP, etc in someone's account. Seeing info and using it, (as in booking a room), 2 different things. The fact that OP signed out and back in and it was gone means they aren't crossed permanently. It was a fluke. Not to say that it shouldn't happen (it shouldn't!) simply that it seems there is not any harm can come from it when it does.
     

    AngiTN

    DIS Veteran
    Joined
    Mar 7, 2011
    It's not just your reservations they could potentially see...but credit card info, address, phone number, travel dates etc. And could someone potentially mess with someone else's reservation? Bottom line is that it is a security breach.
    You don't know that. Seeing a list of reservations does not provide a credit card number. Folks with shared reservations can't access credit card numbers. It sounds like a breach in the linking of account friends and family lists (something that MDE has been horrible with since day 1) not a breach in accounts themselves. Linked MDE accounts for sharing resorts, FP, ADR, etc is just a nightmare and why I've forbid DH from opening his own account.
     

    Magpie

    DIS Veteran
    Joined
    Oct 27, 2007
    I'm going to guess they're already aware, but you can certainly call them. Guess everyone handles it differently, but I don't think it's THAT big of a deal. There are worse things than someone being able to see my reservations at WDW.
    If it was a loophole that could be deliberately exploited, say by someone in my town looking to find out which homes are going to be empty over certain periods of time (though they'd be disappointed with us, as our dog sitter lives in the house when we're gone), then that might be concerning. But that doesn't appear to be the case.

    And if you could see full credit card numbers, that'd also be worrying. But, every time I try to open a page that takes me to that info, Disney makes me sign in again. So, I rather doubt you could harvest much in the way of actually useful data. It sounds like all they got was the "my plans" page of MDE.

    So, basically, the glitch appears to be randomly linking a few vacationers, as "Friends and Family". And, frankly, it doesn't worry me if you (as some random person) see my vacation plans. There's not much you can do, because the site will ask you to log in again, and you don't know my email or password. Even if you were able to cancel my Slinky Dog FP, I'd expect Disney to make it right.

    You're going to be way more interested in getting your info back, than in trying to mess with mine. We both have vacations to plan!

    That said, certainly Disney should be contacted and made aware. I just agree that there's no reason to panic.
     
  • StacyStrong

    DIS Veteran
    Joined
    May 8, 2018
    You don't know that. Seeing a list of reservations does not provide a credit card number. Folks with shared reservations can't access credit card numbers. It sounds like a breach in the linking of account friends and family lists (something that MDE has been horrible with since day 1) not a breach in accounts themselves. Linked MDE accounts for sharing resorts, FP, ADR, etc is just a nightmare and why I've forbid DH from opening his own account.
    I would never allow someone to manage all my plans because I don't travel with the same people all the time. You're lucky that that works for you.
     

    StacyStrong

    DIS Veteran
    Joined
    May 8, 2018
    I don't care if someone knows my basic Disney plans. What I do care about is the fact that it's possible for people to know my plans without my consent. This is a security glitch we ARE aware of. What security holes DON'T we know about? If they are so careless with what IS customer facing, I'm not exactly confident in how they treat data that isn't customer facing.
     

    Jennasis

    DIS life goes on
    Joined
    Jun 11, 2000
    You don't know that. Seeing a list of reservations does not provide a credit card number. Folks with shared reservations can't access credit card numbers. It sounds like a breach in the linking of account friends and family lists (something that MDE has been horrible with since day 1) not a breach in accounts themselves. Linked MDE accounts for sharing resorts, FP, ADR, etc is just a nightmare and why I've forbid DH from opening his own account.
    You have more faith in their IT than I do LOL. If it had happened to me, I would have called IT immediately as well.
     

    AnnaKat

    Mouseketeer
    Joined
    May 26, 2015
    It's not just your reservations they could potentially see...but credit card info, address, phone number, travel dates etc. And could someone potentially mess with someone else's reservation? Bottom line is that it is a security breach.
    Could they cancel all your reservations?!?! How is that not a big deal?!?!
     

    Magpie

    DIS Veteran
    Joined
    Oct 27, 2007
    Could they cancel all your reservations?!?! How is that not a big deal?!?!
    I don't know if they could, since Disney annoyingly seems to make you log in again whenever you try to do anything on their site. (I only walked away for FIVE minutes! Why is my session expired???)

    But even if they could... Why would they?

    If you opened up a page to see someone else's plans listed, would you immediately emit a villainous laugh and start trying to cancel their reservations? I know I wouldn't. I'd do what anyone else would do... comment, "Oh, that's weird," and log out and log in again, looking for MY plans. Then I'd fire a note off to Disney about it, with all the relevant details (browser type, computer, time, etc).
     

    bumbershoot

    DIS Veteran
    Joined
    Mar 5, 2007
    I would never allow someone to manage all my plans because I don't travel with the same people all the time. You're lucky that that works for you.
    She was only saying she manages her husband’s account. I would assume that he doesn’t go to Disney without her. That’s how it was in my marriage. He didn’t go on his own. I did. So it made no sense to have him have his own MDE.
     

    Skywise

    DIS Veteran
    Joined
    Jul 24, 2013
    So glad they outsourced this.

    It's obvious they're reusing IDs somewhere which no longer point to the right info (either via cookies or session id) Displaying personal information from a cloud site via token ID is BASIC software engineering these days.

    I'm sure their credit card system is working perfectly though...
     
    Last edited:

    Magpie

    DIS Veteran
    Joined
    Oct 27, 2007
    She was only saying she manages her husband’s account. I would assume that he doesn’t go to Disney without her. That’s how it was in my marriage. He didn’t go on his own. I did. So it made no sense to have him have his own MDE.
    My husband and I only have one account for our family, as well. I expect most families would, unless they regularly take separate trips to Disney?

    If our son decides, someday, to take his girlfriend to Disney and pay for the trip himself, then I expect he'd create his own account at that point. He'd need one, since we wouldn't be arranging accommodations or payment for him (the way we do on family trips).
     

    StacyStrong

    DIS Veteran
    Joined
    May 8, 2018
    She was only saying she manages her husband’s account. I would assume that he doesn’t go to Disney without her. That’s how it was in my marriage. He didn’t go on his own. I did. So it made no sense to have him have his own MDE.
    Right. And I'm saying that's lucky. I wouldn't be able to.
     
    Status
    Not open for further replies.

    Connect

    Disney News and Updates

    Daily Updates and News



    THEME PARK MAPS




    DISNEY WORLD TICKETS


    THEME PARK HOURS
    Disney World Rehabs and Closings Disney World Restaurant Menus

    DISNEY WORLD VIDEOS




    Top