HUGE warning about Dings!

[tinkwannabe2]

I got my ding yesterday and there was a IND - JAX for $37 (rock on!) so I posted it on another board that I post on since it seems everyone is limited to their own hometown. Well another lady that I post with booked the fare along with me (she plans to drive to indy from Kentucky since it's such a good fare.) Well when she made her reservations, she put in her family's names and her credit card info and everything and pressed the final button, MY INFO CAME UP! My name and my DD's name, our address, our confirmation numner and our credit card number (with the first three groups of numbers as astrix "***" thank God!)

I don't know if it was cause we booked at the same time or cause I posted a link from my ding account, but it happened and I am lucky that it was someone nice and she told me what happened. She called SW twice last night and they didn't believe her. This morning she called customer service and they rebooked her cause there was no record of her original reservation. She said they didn't seem to be bothered by the security breach.

Anyway, the moral of my long story is that you can't post links to ding fares, you should just tell people what the fare was and they can go in through their own ding window.

Thanks for listening!

 

[DebbieB]

I remember when downloading DING that you got a registration number that was tied your account information. If you posted your link, you probably gave out your registration #. I would cancel your DING account and reregister.

 

[boswellnakia]

I have a few differnet Ding accounts because I have five computers that I work on. When you download Ding, it ask you for your city of preference and optionally you can add you SW Rapid Rewards number, right? If you don't put in your RR number, it doesn't know you are, correct? Is this how the second person had the original poster's info? she had registered with her RR number and when the link was copied, it copied the DING link to her RR account?

oh my, it is too late for this technical stuff . Thanks for the warning.

 

[bicker]

I don't know if it was cause we booked at the same time or cause I posted a link from my ding account...

Anyway, the moral of my long story is that you can't post links to ding fares, you should just tell people what the fare was and they can go in through their own ding window.

Without a doubt. There are two ways web applications work: Either using a session cookie, or putting the session id in the URL. If the web application doesn't work if you have cookies disabled, then generally the URL isn't worth much. If the web application does work with cookies disabled, giving someone a URL from your browser is almost as good as giving them your account password. Sessions typically live on for 20-30 minutes after the last interaction you have with the web application (though that can be changed -- on my web server, I have it set for 300 minutes, because I hate timing-out while testing).

I remember when downloading DING that you got a registration number that was tied your account information. If you posted your link, you probably gave out your registration #. I would cancel your DING account and reregister.

I don't have DING so I cannot be sure, but I do not believe this is the case. Just about every web application I've ever seen uses session ids, and session ids are temporary credentials. DING wouldn't be TrustE certified if it were putting either registration ids or passwords in URLs.

 

[DebbieB]

When I click on ding, my browser shows my install ID in the link.

http://www.southwest.com/cgi-bin/systray?action=getHeadlineDetail&installId=***************

 

[bicker]

Is it always the same, even after restarting your computer? If so, shame-shame on them. Browsers retain memory of URLs visited, and some JavaScript exploits can read this history and pass that information back to the web site.

 

[NotUrsula]

I'm pretty sure it's the session ID. If you follow an emailed link back to the Ding before it times out, it picks up where the original session left off. I don't think it would normally be able to pull your CC info just using the initial listing screen, though, unless you registered with your RR#.

I'll email Ding links to DH at work (b/c he can't have it loaded there), but not to anyone else. We've noticed that whether or not the info carries over depends on how quickly he gets to the email; if he does it right away, my info is there, if he doesn't get to it for 2 hours or so, it's not.

Just to err on the side of caution, I wouldn't send anything from this kind of desktop Java application to anyone who does not already share your CC info, and I certainly wouldn't post the actual link to a public board; that defeats the purpose of having the program loaded in the first place, which is to limit the number of people who can have access to the offer.

 

[canwegosoon]

Thanks for the warning...you can never be too careful!!!