Threat actors may have had access to information about the package, such as exact shipping details.
Researchers at Pen Test Partners disclosed a vulnerability that could have resulted in personal data loss. An unauthenticated API call vulnerability in DPD Group’s public API could have allowed threat actors to obtain sensitive information about the parcel.
DPDgroup is a France-based parcel delivery network with 1.9 billion global customers. Companies’ users can track the movement of their orders using a parcel code and a postcode.
Combined, both pieces of information provide access to shipping details.
The researchers were able to try out parcel codes on API calls and obtain map images with the recipient’s position on the map.
“It is possible to perform some simple OSINT on the image, using the street names and other identifying features to identify a postcode,” claim the researchers.
A threat actor with a valid parcel code and a matching postcode could access tracking information meant for the recipient, such as a person’s full name, email address, mobile phone number.
Researchers informed DPDgroup about the flaw on September 2, 2021. A month later, the company confirmed that the vulnerability was resolved. The researchers were offered a bug bounty for their discovery.
Even though it’s virtually impossible to guess someone’s parcel number and exploit the vulnerability, threat actors may have used the tactic on specific targets to either intercept packages or phish for sensitive data.
More from CyberNews:
Subscribe to our newsletter