As a large courier company, the personal data of its customers handed out

I just want to make a reservation that this article is not a cry from the heart, not bragging, and, moreover, not an attempt to blacken someone's reputation there. I just urge to be a little more attentive than service users to the services of the companies that serve them, and the companies themselves - to the services that they offer to their clients. Sometimes such services for the convenience of customers sacrifice their own customers, confidentiality. Within what limits this happened in my case - under the cut.


One day, my phone was once again called from Moscow (I myself live in the region), asked to participate in a survey and asked my spouse. I just silently hung up. An hour later, I received a long-awaited SMS-message from the express delivery service, whose services we have been using for more than a year. A text similar to the one received was sent to me in Viber and by e-mail. This SMS-message contained a link to the official website of the company of the form www.XXXX.ru/dostavka/?hash=XXXXXXXXXXXXX , by which I could track the movement of the cargo and manage its delivery (refuse the cargo, choose the date of delivery, etc.).

Clicking on the link, I saw that the browser automatically logged in with my phone number and invoice number (the completed authorization form was on the screen literally two seconds), after which I got access to my account in which my personal data were presented (full name and home address ) the recipient, as well as information about the date and time of delivery of the goods. And here I was distracted - we often ordered delivery in the name of a spouse (her full name and were listed on the site), since she works closer to the office of the company and it is usually easier for her to pick up the package. And my phone number was specified as I order the goods from the sender. At the same time, I just noticed that the commission of any actions in order to log in (i.e., confirm my identity) was not required of me at all. Just followed the link and voila! Conveniently, it would seem.
')
This circumstance allowed me to assume that, following my link, anyone can see information about my departure (as well as personal data, namely: phone number, full name and home address). By itself, this circumstance is not particularly pleasant. At the same time, the word “hash” in the address gave me hope that the sequence following it - the result of a certain hash function, and finding the sequence in such a way as to get into someone’s personal account will be difficult. To check this assumption, I changed the last character in the sequence (number) and got into someone else's private office, where other people's personal data were available to me, and when I entered, I automatically served someone else's phone number . Superficially running through the "neighboring" personal accounts, I realized that the sequence of characters following the "? Hash =" is not the result of the hash function, but a kind of code, outstanding in order for each client for each individual shipment. Replacing other characters in the sequence — hexadecimal digits with previous or subsequent ones — allowed me to get into someone else's personal account without any authorization, which gave access to information about the telephone number, recipient's name and address (often home).


So I was horrified to understand that the company stores the personal data of its clients (and our spouse as well) in clear text on pages accessible to any person who has access to their official website. To access the personal data of the company's clients across the country, it is sufficient to parse the personal account pages by substituting the sequence value followed by "/? Hash =" in the url. And the site had absolutely no protection against scraping. Hastily sketched on my knee a crawler without any proxies in 20 threads literally in a couple of minutes collected several hundred live recordings, after which I turned it off. No, IP is not banned. It was a bomb. For the sake of fairness, it must be said that this way it was possible to collect data from not all customers, but only those who are, so to speak, in the “active phase of receiving cargo”. Until the cargo arrived at one of the nearest sorting centers and almost immediately after receiving it, access to the delivery management office was closed, but the telephone and invoice number still glowed in the form of authorization (i.e., it was possible to collect the base of living numbers ).


Thus, the company's chosen method of storing customer personal data provided uncontrolled disclosure of this data to third parties, which was a gross violation of the requirements of Articles 7 and 19 of the Federal Law of July 27, 2006 No. 152- “On Personal Data”. On the one hand, I really wanted to complain to Roskomnadzor, on the other hand, I understood that for the company the creation of the site was not a specific direction (and the site, judging by the copyrights, they did), and the security services in its staff could not to be. Therefore (to write from myself) I waited a couple of days until the goods arrived in my name, made sure that everything was still working, and stated the problem I had discovered, honestly indicating that I intended to write about it immediately after closing the vulnerability or two weeks from the time of treatment (whichever comes first). In response, I received a duty of thanks and a promise to convey information to the management and my manager.

How much this flaw existed on the site can only guess, but I am sure that it was exploited with might and main by the interested parties. Today (after almost three weeks), the gap seems to be closed. In other matters, the company representatives did not contact me.