
The Trainline (UK) website has a ridiculous security flaw and refuses to fix it - scottmf
The Trainline deals with the private data of ~11 million UK residents&#x27; data every month, but doesn&#x27;t seem to care much about security. Posting this publicly appears to be the only way they&#x27;ll fix it.<p>I brought this to the The Trainline&#x27;s attention through Twitter DM almost a year ago. They said they&#x27;d pass it along to the security team.<p>I&#x27;ve also spoken directly with a Trainline employee about this issue. He went straight to the security team, who had apparently been aware for some time and &quot;hoped no one would find out&quot;.<p>Almost a year later and nothing has been done.<p>Note: this doesn&#x27;t work if someone has signed up for an account with that email address (although it&#x27;s not required to purchase tickets, many frequent users probably have an account).<p>How to view someone&#x27;s personal information and access their ticket history (and refund or use any recently purchased tickets)<p>1. Sign up for a Trainline account using their email address<p>2. You&#x27;re immediately signed in without verifying that you own the email<p>3. You have full access to their information&#x2F;tickets.<p>Yup, it&#x27;s that easy.
======
gargravarr
Truly ridiculous, especially if they aren't taking it seriously, but you say
this only affects users who check out as a guest? That does limit the scope,
at least. I can confirm that attempting to register a new account with the
same email address does error out as expected.

Upvoting to bring this to someone's attention.

~~~
scottmf
Yeah the scope is limited to those without accounts.

Try signing up with any other email address and you're immediately signed in —
after being asked for the password you just chose, for security reasons.

