Need to alert Disney's IT department of MAJOR SECURITY glitch

Status
Not open for further replies.

*I'msoooBelle*

Mouseketeer
Joined
Jul 7, 2016
Does anyone know where I can report a major security glitch that I just experienced with MDE?

I just posted to another thread the following:

I'm concerned. I just logged into my MDE account via my desktop. I was updating the avatars for my family members who lost theirs with the update. When I went back to the home profile page, it had my name "XXXX' plan's" but it was the itinerary of a large family that is completely unknown to me. I was able to see their resort reservations, dining reservations, fast passes, confirmation numbers, the amount left to pay, etc. I'm completely unsettled. If I was taken to this family's MDE account, that most certainly means that someone can have access to mine. I signed out and logged back in and its back to my profile with my information. This is major. My mind is spinning at the moment... I need to report this to Disney IT, does anyone know what their email address is?
 
(407) 939-4357. I have seen this number a hundred times in the last couple of days with all the MDE problems.
 
This chilled me to the bone. This is the first time I experience something like that with the application. Disney's IT have to deploy software patches immediately. The fact that my family's information is not secured and can be exposed is unsettling.
 
I had the same thing happen to me! I logged in to my account to make a dining reservation, and it was my account, but with a different family's information!
 


Does anyone know where I can report a major security glitch that I just experienced with MDE?

I just posted to another thread the following:

I'm concerned. I just logged into my MDE account via my desktop. I was updating the avatars for my family members who lost theirs with the update. When I went back to the home profile page, it had my name "XXXX' plan's" but it was the itinerary of a large family that is completely unknown to me. I was able to see their resort reservations, dining reservations, fast passes, confirmation numbers, the amount left to pay, etc. I'm completely unsettled. If I was taken to this family's MDE account, that most certainly means that someone can have access to mine. I signed out and logged back in and its back to my profile with my information. This is major. My mind is spinning at the moment... I need to report this to Disney IT, does anyone know what their email address is?

This happened to me too about a year ago and thought it was a fluke but now see it isn't and we are an extremely small spec of those that go to Disney and use MDE so I can only now imagine how widespread this may be. Their site now is not only awful, but also not so secure.
 
This chilled me to the bone. This is the first time I experience something like that with the application. Disney's IT have to deploy software patches immediately. The fact that my family's information is not secured and can be exposed is unsettling.

I'm going to guess they're already aware, but you can certainly call them. Guess everyone handles it differently, but I don't think it's THAT big of a deal. There are worse things than someone being able to see my reservations at WDW.
 
I'm going to guess they're already aware, but you can certainly call them. There are worse things than someone being able to see my reservations at WDW.
Without a doubt. If I'd logged in to see someone else's account on my bank app or credit card app, that would chill me to the bone.
Disney stuff, eh. I'd shoot them a phone call, or email if there is one, and move on. But I guess I am missing something to be worried about. Or at least have way bigger things I do worry about so no room left for more, LOL We all got our limits and I'm past mine anymore.
 


I'm going to guess they're already aware, but you can certainly call them. There are worse things than someone being able to see my reservations at WDW.

It's not just your reservations they could potentially see...but credit card info, address, phone number, travel dates etc. And could someone potentially mess with someone else's reservation? Bottom line is that it is a security breach.
 
This happened to me too about a year ago and thought it was a fluke but now see it isn't and we are an extremely small spec of those that go to Disney and use MDE so I can only now imagine how widespread this may be. Their site now is not only awful, but also not so secure.
Shows you that it's happened for a long time. And still, no security issues abounding out there, where strangers are booking rooms, FP, etc in someone's account. Seeing info and using it, (as in booking a room), 2 different things. The fact that OP signed out and back in and it was gone means they aren't crossed permanently. It was a fluke. Not to say that it shouldn't happen (it shouldn't!) simply that it seems there is not any harm can come from it when it does.
 
It's not just your reservations they could potentially see...but credit card info, address, phone number, travel dates etc. And could someone potentially mess with someone else's reservation? Bottom line is that it is a security breach.
You don't know that. Seeing a list of reservations does not provide a credit card number. Folks with shared reservations can't access credit card numbers. It sounds like a breach in the linking of account friends and family lists (something that MDE has been horrible with since day 1) not a breach in accounts themselves. Linked MDE accounts for sharing resorts, FP, ADR, etc is just a nightmare and why I've forbid DH from opening his own account.
 
I'm going to guess they're already aware, but you can certainly call them. Guess everyone handles it differently, but I don't think it's THAT big of a deal. There are worse things than someone being able to see my reservations at WDW.

If it was a loophole that could be deliberately exploited, say by someone in my town looking to find out which homes are going to be empty over certain periods of time (though they'd be disappointed with us, as our dog sitter lives in the house when we're gone), then that might be concerning. But that doesn't appear to be the case.

And if you could see full credit card numbers, that'd also be worrying. But, every time I try to open a page that takes me to that info, Disney makes me sign in again. So, I rather doubt you could harvest much in the way of actually useful data. It sounds like all they got was the "my plans" page of MDE.

So, basically, the glitch appears to be randomly linking a few vacationers, as "Friends and Family". And, frankly, it doesn't worry me if you (as some random person) see my vacation plans. There's not much you can do, because the site will ask you to log in again, and you don't know my email or password. Even if you were able to cancel my Slinky Dog FP, I'd expect Disney to make it right.

You're going to be way more interested in getting your info back, than in trying to mess with mine. We both have vacations to plan!

That said, certainly Disney should be contacted and made aware. I just agree that there's no reason to panic.
 
You don't know that. Seeing a list of reservations does not provide a credit card number. Folks with shared reservations can't access credit card numbers. It sounds like a breach in the linking of account friends and family lists (something that MDE has been horrible with since day 1) not a breach in accounts themselves. Linked MDE accounts for sharing resorts, FP, ADR, etc is just a nightmare and why I've forbid DH from opening his own account.

I would never allow someone to manage all my plans because I don't travel with the same people all the time. You're lucky that that works for you.
 
I don't care if someone knows my basic Disney plans. What I do care about is the fact that it's possible for people to know my plans without my consent. This is a security glitch we ARE aware of. What security holes DON'T we know about? If they are so careless with what IS customer facing, I'm not exactly confident in how they treat data that isn't customer facing.
 
You don't know that. Seeing a list of reservations does not provide a credit card number. Folks with shared reservations can't access credit card numbers. It sounds like a breach in the linking of account friends and family lists (something that MDE has been horrible with since day 1) not a breach in accounts themselves. Linked MDE accounts for sharing resorts, FP, ADR, etc is just a nightmare and why I've forbid DH from opening his own account.
You have more faith in their IT than I do LOL. If it had happened to me, I would have called IT immediately as well.
 
It's not just your reservations they could potentially see...but credit card info, address, phone number, travel dates etc. And could someone potentially mess with someone else's reservation? Bottom line is that it is a security breach.

Could they cancel all your reservations?!?! How is that not a big deal?!?!
 
Could they cancel all your reservations?!?! How is that not a big deal?!?!

I don't know if they could, since Disney annoyingly seems to make you log in again whenever you try to do anything on their site. (I only walked away for FIVE minutes! Why is my session expired???)

But even if they could... Why would they?

If you opened up a page to see someone else's plans listed, would you immediately emit a villainous laugh and start trying to cancel their reservations? I know I wouldn't. I'd do what anyone else would do... comment, "Oh, that's weird," and log out and log in again, looking for MY plans. Then I'd fire a note off to Disney about it, with all the relevant details (browser type, computer, time, etc).
 
I would never allow someone to manage all my plans because I don't travel with the same people all the time. You're lucky that that works for you.

She was only saying she manages her husband’s account. I would assume that he doesn’t go to Disney without her. That’s how it was in my marriage. He didn’t go on his own. I did. So it made no sense to have him have his own MDE.
 
So glad they outsourced this.

It's obvious they're reusing IDs somewhere which no longer point to the right info (either via cookies or session id) Displaying personal information from a cloud site via token ID is BASIC software engineering these days.

I'm sure their credit card system is working perfectly though...
 
Last edited:
She was only saying she manages her husband’s account. I would assume that he doesn’t go to Disney without her. That’s how it was in my marriage. He didn’t go on his own. I did. So it made no sense to have him have his own MDE.

My husband and I only have one account for our family, as well. I expect most families would, unless they regularly take separate trips to Disney?

If our son decides, someday, to take his girlfriend to Disney and pay for the trip himself, then I expect he'd create his own account at that point. He'd need one, since we wouldn't be arranging accommodations or payment for him (the way we do on family trips).
 
She was only saying she manages her husband’s account. I would assume that he doesn’t go to Disney without her. That’s how it was in my marriage. He didn’t go on his own. I did. So it made no sense to have him have his own MDE.
Right. And I'm saying that's lucky. I wouldn't be able to.
 
Status
Not open for further replies.

GET A DISNEY VACATION QUOTE

Dreams Unlimited Travel is committed to providing you with the very best vacation planning experience possible. Our Vacation Planners are experts and will share their honest advice to help you have a magical vacation.

Let us help you with your next Disney Vacation!






Top