Jun 25, 2023, 9:58 pm
Date change hack to view waitlist early -- dead again (website & app)
Mar 22, 2024, 2:10 pm
#34
FlyerTalk Evangelist
Join Date: Nov 2002
Location: ORD
Posts: 14,336
End of an error - another upgrade list hack no longer works
For the last several weeks someone has published a website that used United's flight status API to grab the upgrade list of any flight regardless of date. I'd been sneakily doing it myself for a year or so with a Python script a friend wrote. But it looks like United finally noticed and implemented some security. Their API now rejects queries for flights more than 4 days out.
Alas! it was nice while it lasted. And if anyone from United IT sees this and wants to give me a secret API endpoint I can use, my DMs are open. 
{
"errors": [
{
"id": "6613xxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx",
"status": 500,
"code": null,
"detail": "Invalid departure date. The flight departure date is over 4 days.",
"minorCode": null,
"minorDescription": null
}
]
}
"errors": [
{
"id": "6613xxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx",
"status": 500,
"code": null,
"detail": "Invalid departure date. The flight departure date is over 4 days.",
"minorCode": null,
"minorDescription": null
}
]
}
Mar 22, 2024, 2:29 pm
#35
Join Date: May 2012
Location: ORF, RIC
Programs: UA LT 1K, 3 MM; Marriott Titanium, LTP; IHG Platinum
Posts: 7,245
For the last several weeks someone has published a website that used United's flight status API to grab the upgrade list of any flight regardless of date. I'd been sneakily doing it myself for a year or so with a Python script a friend wrote. But it looks like United finally noticed and implemented some security. Their API now rejects queries for flights more than 4 days out.
Alas! it was nice while it lasted. And if anyone from United IT sees this and wants to give me a secret API endpoint I can use, my DMs are open.
Alas! it was nice while it lasted. And if anyone from United IT sees this and wants to give me a secret API endpoint I can use, my DMs are open.
We still use the "date change" trick on smart devices. I only care about my own flight. As long as this trick is kept, I will be a happy camper.
Mar 22, 2024, 2:31 pm
#36
FlyerTalk Evangelist
Join Date: Nov 2002
Location: ORD
Posts: 14,336
I don't think the date change trick will work anymore either. It just confuses the frontend to let you see flight dates based on what the system clock is set to, but once the frontend passes the request to the API the API will reject them.
Mar 23, 2024, 11:00 am
#37
FlyerTalk Evangelist
Join Date: Nov 2014
Location: MSP
Programs: DL PM, UA Gold, WN, Global Entry; +others wherever miles/points are found
Posts: 14,850
Sigh. And this is why you don't talk about this kind of thing, let alone publish a website for it...
This particular bug leaked a lot of rather private information for UA, so I'm surprised it lasted as long as it did, but still sad.
This particular bug leaked a lot of rather private information for UA, so I'm surprised it lasted as long as it did, but still sad.
Mar 23, 2024, 11:21 am
#38
FlyerTalk Evangelist
Join Date: Dec 2006
Location: Pacific Northwest
Programs: UA Gold 1MM, AS 75k, AA ExPlat, Bonvoyed Gold, Honors Dia, Hyatt Explorer, IHG Plat, ...
Posts: 17,629
It seems pretty weird that they didn’t validate the input parameter to the API. Perhaps the API was originally designed for a different (internal) purpose and then just used for something unintended and not anticipated by the API designer? And so fixing it wasn’t quite as simple as adding ge validation (though really not complex either).
Mar 23, 2024, 11:23 am
#39
FlyerTalk Evangelist
Join Date: Nov 2014
Location: MSP
Programs: DL PM, UA Gold, WN, Global Entry; +others wherever miles/points are found
Posts: 14,850
It seems pretty weird that they didn’t validate the input parameter to the API. Perhaps the API was originally designed for a different (internal) purpose and then just used for something unintended and not anticipated by the API designer? And so fixing it wasn’t quite as simple as adding ge validation (though really not complex either).
Frontend says "I want all of this data" so the backend dev writes a single query which exposes all the data in the system so the frontend dev can choose what to render. No one audits for security, because no one involved cares. This kind of thing happens all the time. "We should maybe validate this input" doesn't come with the kind of devs UA pays for.
Mar 24, 2024, 2:28 pm
#40
Join Date: Jun 2020
Location: NJ
Programs: UA Silver, Hyatt Globalist
Posts: 637
Indeed, sad here too. Just noticed it's gone.
Apr 10, 2024, 11:24 am
#42
Join Date: Dec 2019
Location: IAH
Programs: MileagePlus-Premier Silver, Marriott Bonvoy-Silver Elite
Posts: 754
I tried looking at flights in early May on my iPad, no go. UA website error or something like that. And sometimes it shows the top part of the flight status, only missing the important part, WL.
Apr 10, 2024, 1:35 pm
#43
Join Date: Feb 2011
Location: NYC suburbs
Programs: UA LT Gold (BIS), AA LT Plat (CC SUBs & BD), Hilton Dia (CC), Hyatt Glob (BIB), et. al.
Posts: 3,521
~10 years ago there was a “hack” to be able to see future UA flight status, can’t recall exactly how far into the future, IIRC about a month or so. It didn’t work yesterday, went to US generic flight status landing page.
To See Upgrade List:
Format: https://www.united.com/web/en-US/app...ults.aspx?FLN=nnnn&FLD=mm/dd/yyyy&FSO=AAA&FSD=BBB
nnnn = flight number, mm/dd/yyyy = scheduled departure date, AAA = originating airport code, BBB = destination airport code
Sample: https://www.united.com/web/en-US/app...ults.aspx?FLN=645&FLD=04/12/2021&FSO=EWR&FSD=TPA
Format: https://www.united.com/web/en-US/app...ults.aspx?FLN=nnnn&FLD=mm/dd/yyyy&FSO=AAA&FSD=BBB
nnnn = flight number, mm/dd/yyyy = scheduled departure date, AAA = originating airport code, BBB = destination airport code
Sample: https://www.united.com/web/en-US/app...ults.aspx?FLN=645&FLD=04/12/2021&FSO=EWR&FSD=TPA
Apr 10, 2024, 2:05 pm
#44
FlyerTalk Evangelist
Join Date: Nov 2002
Location: ORD
Posts: 14,336
No, some numbnuts made a public website that queried the United flight status API to get upgrade lists any time in the future. United noticed and modified the API to reject queries for flights >4 days out.
Apr 24, 2024, 7:22 am
#45
Join Date: Jan 2013
Location: Houston
Programs: UA - 1K, Marriott - Gold, Hilton - Gold, Global Entry,
Posts: 641
Is there any way to see where i am on the upgrade list for a flight more than 2 days out other than calling? I used to be able to change the date on my computer to the day before a flight and see the upgrade list, but that doesn't seem to work now.