Hello again.
This is a short one about a not-so-fun parcel tracking service that I came across after completing the check-out process to order cat food for my furry overlords. The confirmation email that I received shortly after included a different parcel tracking link than I was used to, my go to web shop apparently got a new delivery partner to transport the goodies.
I got curious about the tracking link provided in that email and started to do what every concerned citizen does when he sees short tokens in an URL. I began to inspect the network traffic of the parcel tracking site to determine what happens with the token in the URL.
Turns out, the frontend takes this token and passes it to a parcel search API to resolve the token to the consignment number:
With the consignment number resolved, the frontend then sends an additional request to retrieve the parcel’s tracking details based on the consignment number and token:
After having identified the process of retrieving parcel details from a tracking link, and realizing that my PII data is protected by a mere 8 character long, alphanumeric token I grew slightly concerned.
As this site also has a feature to get notified when the status of the parcel changes, users have the option to enter their email address or phone number, which may also be retrievable through one of the public facing API endpoints.
At this point, I started to wonder if any of my friends also had tracking links of the same provider. I was wondering if I could simply use their link and gain access to their PII data… and sure enough, that did the trick. Their shipment details, including the company name the parcel originated from was included in the tracking details returned by the API.
Shortly after confirming that the knowledge of the token was sufficient to retrieve other customer’s PII, I wondered if the parcel tracking service at least implemented anti-abuse measures such as rate-limiting.
After two hundred requests within a few seconds I had my answer…
Considering that this service stores PII data and sometimes includes the user’s email and or phone number, wouldn’t this be a juicy target for attackers to harvest data and send “sophisticated” phishing emails? 🤔
After a few more stabs and jabs against the token, I also determined that they are not predictable, instead they are associated pseudo-randomly. I’ve also learned, through a link shared by a friend, that the tracking links do seem to expire at some point. Unfortunately, I wasn’t able to determine the exact live time of a tracking link, but I assume it is at least accessible for two months.
Granted, the token complexity of a charset of [A-Z0-9]{8} is pretty big and
might take an attacker quite some time to land a hit, but remains in the realm
of possible attack scenarios one should consider.
I couldn’t resist and wrote a short scraper to simulate this attack scenario. After around one week of scraping, I ended up with roughly 2'000 resolved tokens (token to consignment numbers), which included the basic PII information (shipping details). Out of those 2'000 resolved tokens, around 350 entries contained email addresses and around 210 entries contained mobile phone numbers.
Summary
- PII data is stored for
roughly one monthmore than two months and is retrievable through an API - Access to this data is protected by an eight (8) character long token
- The token can be brute-forced due to non-existent anti-automation measures
Aftermath
Although the success rate of my proof of concept scraper was disappointing (good for them!), I decided to contact the parcel tracking company and disclose my concerns and provided recommendations to address the issues I’ve encountered.
The “disclosure” process went roughly like this:
- me: Hello, I have some security concerns I would like to discuss, I can haz email contact?
- them: Hello, we don’t have a dedicated address for that, just send us the details
- me: Okay sure! sends detailed writeup with concerns, explanations and recommendations
- them: radio silence for 1 week
- me: Hello, anyone there? shakes email client
- them:
… guess they dont care. 😾
Oh, I forgot to mention they have a great feature that lets you re-route the parcel under certain circumstances… Now wouldn’t it be a shame if someone were to re-route all the parcels, harvest PII data and ransom the victim’s parcels? /s
‘Til next time.