As another large courier company, it distributed personal data of its customers
For a long time I wanted to write an article, as one postal service, which I used, showed too much data about the parcel and its recipient, but could not find the time and the right moment.
And here the other day an article was published on Habré “ How a large courier company distributed personal data of its customers ”, after which I realized that many services arenot alone in this.
Well, I will describe my situation and results (the post will be shorter than the one indicated above).
(a picture to attract attention. The picture does not apply to the service
I am describing) At the end of last year, I used a service whose name I will not mention, despite the fact that the company fixed the vulnerability a long time ago.
On the delivery service website, under the link of the form xxxxxxxx.ru/departure_track/?id=XX00000000123456YYY, which I received in a letter from the online store where I made the order, rather detailed information was indicated.
The following data was available:
- name of the online store;
- Order number of the online store;
- parcel weight;
- point of issue, which was often the address of the physical. persons;
- as well as the contact telephone number of the branch, which in many cases was not the telephone of the post office, but was the personal mobile phone of the recipient (checked for himself).
The information was available for viewing without authorization and without restrictions on the number of selections of departure numbers.
The problem was not only the disclosure of personal data (mobile phone number and home address), but also that bad people could easily call customers who are waiting for the parcel, asking them to transfer, for example, the amount of the commission to their (fraudulent) bank card for fictitious delivery - all the information necessary to convince the customer was available.
In the letter sent by me to the company, I indicated this example: a call can be on the number +380501234567 with the following data:
- Good afternoon, my name is Andrey, I am an employee of the delivery service XXXXXXXX. Do you expect a parcel from% COMPANY_NAME%, weighing 1.02 kg, online store order number 4507XXXX-X?
- Yes.
- Your address Kiev, Tatarskaya street, 3, apartment 15 - is it correct?
- Yes.
- Your package is already with us. You need to pay 45 hryvnias to a bank card No. 512345678901234. As soon as we receive the funds, the courier immediately leaves for you.
- Good.
Well, or any other conversation script from the social engineering variants of scammers.
I recommended restricting the display of such a quantity of information to unauthorized users, as I periodically find errors in Internet services and believe that this situation is quite real and dangerous, since too much information is listed on the site without restrictions, and scammers who come up with phoning constantly come up with new ways to cheat unsuspecting customers.
What is nice, the company took my letter into account and fixed the vulnerability (removed unnecessary fields for displaying, later added captcha), and also transferred 2000 rubles to me as a reward, albeit not immediately.
To date, the problem is fixed, information on the site is displayed in truncated form
So mail services are different.
And here the other day an article was published on Habré “ How a large courier company distributed personal data of its customers ”, after which I realized that many services are
Well, I will describe my situation and results (the post will be shorter than the one indicated above).
(a picture to attract attention. The picture does not apply to the service
I am describing) At the end of last year, I used a service whose name I will not mention, despite the fact that the company fixed the vulnerability a long time ago.
On the delivery service website, under the link of the form xxxxxxxx.ru/departure_track/?id=XX00000000123456YYY, which I received in a letter from the online store where I made the order, rather detailed information was indicated.
The following data was available:
- name of the online store;
- Order number of the online store;
- parcel weight;
- point of issue, which was often the address of the physical. persons;
- as well as the contact telephone number of the branch, which in many cases was not the telephone of the post office, but was the personal mobile phone of the recipient (checked for himself).
Other examples
The information was available for viewing without authorization and without restrictions on the number of selections of departure numbers.
The problem was not only the disclosure of personal data (mobile phone number and home address), but also that bad people could easily call customers who are waiting for the parcel, asking them to transfer, for example, the amount of the commission to their (fraudulent) bank card for fictitious delivery - all the information necessary to convince the customer was available.
In the letter sent by me to the company, I indicated this example: a call can be on the number +380501234567 with the following data:
- Good afternoon, my name is Andrey, I am an employee of the delivery service XXXXXXXX. Do you expect a parcel from% COMPANY_NAME%, weighing 1.02 kg, online store order number 4507XXXX-X?
- Yes.
- Your address Kiev, Tatarskaya street, 3, apartment 15 - is it correct?
- Yes.
- Your package is already with us. You need to pay 45 hryvnias to a bank card No. 512345678901234. As soon as we receive the funds, the courier immediately leaves for you.
- Good.
Well, or any other conversation script from the social engineering variants of scammers.
I recommended restricting the display of such a quantity of information to unauthorized users, as I periodically find errors in Internet services and believe that this situation is quite real and dangerous, since too much information is listed on the site without restrictions, and scammers who come up with phoning constantly come up with new ways to cheat unsuspecting customers.
What is nice, the company took my letter into account and fixed the vulnerability (removed unnecessary fields for displaying, later added captcha), and also transferred 2000 rubles to me as a reward, albeit not immediately.
To date, the problem is fixed, information on the site is displayed in truncated form
spoiler
So mail services are different.