I’ve got a post on the AA.com booking flow that when I put it up later this week, I’m afraid it might already be outdated. The reason is that on November 15th American Airlines put out a press release announcing they had redesigned their site. Some of the improvements announced by American were written up by them in the following manner:

At the forefront of the redesign is the site’s homepage, which now provides simpler navigation. Access to all the tools and information customers need is just a click away, thanks to a navigation bar that has been relocated to the top of the screen, rather than the previous left side of the page.

Other features of the redesign include:

  • Upgrading the page width from 800 to 1,024 pixels, which enhances readability
  • A new header, footer and background image on all pages of the site
  • Added links to American’s social media sites in the footer of all pages
  • Centering the site in a customer’s browser

This will not stop me posting in a couple of days a booking flow review with screen shots from about 2 months ago, as it is hopefully still an interesting story. But back to the point of today’s post. Below is a comment from one customer of AA.com on Flyertalk (going by the name of Scion) soon after they put the new redesign into production.

I just had a disturbing phone call.

Another person who works in my same company called to report that while attempting to log in to the new AA.com, and after entering his username and password, he was presented with details of MY account … and evidently was able to navigate around, view details, and might, had he been so inclined, have been able to book tickets, use miles for other purposes, or who knows what.

I have never met this person [let’s call him Mr. X], and he works in a different city from me. Insofar as I know, we have never used the same computer for any purpose at any time.

After this experience, Mr. X called AA, who told him repeatedly that the problem must be at his/our end … presumbly with our comany’s Internet cache servers/firewall. They suggested that he determine whether the person whose account he was viewing worked for the same company. That turned out to be the case, he phoned me, I phoned the EP desk, and that’s where we stand.

This problem, if it is widespread, clearly represents a significant risk. Since I see no obvious reason to believe that my company’s infrastructure is unique in this regard, I suspect other users may be similarly vulnerable. Since the emergence of this problem coincides with the rollout of the new AA.com, it is difficult to imagine the two are not connected.

Very disturbing indeed if in fact it is true as told. About 10 years ago a very similar thing happened to me in a business I was managing at the time (pre Amadeus days), and for both me and the developers involved it was an extremely stressful period until we resolved the bug. Basically, the problem was that were were initializing a datastructure in memory on the server at site-startup time, rather than per-connection. The meant it was shared between subsequent connections; after one person finished the next person to connect would sometimes ‘inherit’ the data.

We fixed it by initializing the data for each connection. Our problem was related to the way Perl on Apache worked, but this sort of thing can be easy to do with languages and frameworks that use threading, such as Java and .Net.

I hope AA has managed to resolve the issue (it is extremely difficult to replicate such a problem on demand), but having been in a similar situation myself and knowing how difficult it was to diagnose, I feel for the development guys at AA who were probably pulling their hair out trying to understand what had happened.