As another large courier company, the personal data of its customers handed out
I have long wanted to write an article, as one postal service, which I used, showed too much data about the parcel and its recipient, but did not find the time and the right moment.
And then the other day on Habré published the article " How a large courier company gave out personal data of its customers ", after the release of which I realized that many services arenot alone , they suffer from this.
Well, I will describe my situation and results (the post will be shorter than the above).
')
(picture to attract attention. The picture does not apply to the service I am describing)
At the end of last year, I took advantage of the service, whose name I will not mention, despite the fact that the company has long fixed the vulnerability.
On the website of the delivery service, a link of the form xxxxxxxx.ru/departure_track/?id=XX00000000123456YYY, which I received in a letter from the online store, where I placed an order, indicated rather detailed information.
The following data was available:
- the name of the online store;
- Order number online store;
- parcel weight;
- point of issue, which was often the address of physical. persons;
- as well as the contact telephone number of the branch, which in many cases was not the telephone of the post office, but was precisely the recipient's personal mobile telephone (checked on itself).
The information was available for viewing without authorization and without restrictions on the number of ship number selections.
The problem was not only in the disclosure of personal data (mobile phone number and home address), but also that bad people could easily call customers who were waiting for a package asking to transfer, for example, the amount of the fee to their (fraudulent) bank card for fictitious delivery - all the information necessary to convince the client was available.
In the letter I sent to the company, I indicated an example: a call can be to the number +380401234567 with the following data:
- Good afternoon, my name is Andrey, I am an employee of the delivery service XXXXXXXX. Are you expecting a parcel from% COMPANY_NAME%, weighing 1.02 kg, order number online store 4507XXXX-X?
- Yes.
- Your address Kiev, Tatarskaya street, 3, apartment 15 - is it indicated correctly?
- Yes.
- Your package is already with us. You need to pay 45 hryvnia to a bank card № 512345678901234. As soon as we receive the funds, the courier immediately leaves for you.
- Good.
Well, or any other conversation script from social engineering options to scammers.
I recommended limiting the display of this amount of information to unauthorized users, as I occasionally find errors in Internet services, and I believe that this situation is quite real and dangerous, as there are too many available information on the site without restrictions, and scammers who call in are constantly inventing New ways to cheat gullible buyers.
What is nice, the company took my letter into account and fixed the vulnerability (removed the extra fields to display, later added a captcha), and also transferred 2,000 rubles to me as a reward, though not immediately.
To date, the problem is fixed, the information on the site is displayed in a truncated form
So that postal services are different.
And then the other day on Habré published the article " How a large courier company gave out personal data of its customers ", after the release of which I realized that many services are
Well, I will describe my situation and results (the post will be shorter than the above).
')
(picture to attract attention. The picture does not apply to the service I am describing)
At the end of last year, I took advantage of the service, whose name I will not mention, despite the fact that the company has long fixed the vulnerability.
On the website of the delivery service, a link of the form xxxxxxxx.ru/departure_track/?id=XX00000000123456YYY, which I received in a letter from the online store, where I placed an order, indicated rather detailed information.
The following data was available:
- the name of the online store;
- Order number online store;
- parcel weight;
- point of issue, which was often the address of physical. persons;
- as well as the contact telephone number of the branch, which in many cases was not the telephone of the post office, but was precisely the recipient's personal mobile telephone (checked on itself).
Other examples
The information was available for viewing without authorization and without restrictions on the number of ship number selections.
The problem was not only in the disclosure of personal data (mobile phone number and home address), but also that bad people could easily call customers who were waiting for a package asking to transfer, for example, the amount of the fee to their (fraudulent) bank card for fictitious delivery - all the information necessary to convince the client was available.
In the letter I sent to the company, I indicated an example: a call can be to the number +380401234567 with the following data:
- Good afternoon, my name is Andrey, I am an employee of the delivery service XXXXXXXX. Are you expecting a parcel from% COMPANY_NAME%, weighing 1.02 kg, order number online store 4507XXXX-X?
- Yes.
- Your address Kiev, Tatarskaya street, 3, apartment 15 - is it indicated correctly?
- Yes.
- Your package is already with us. You need to pay 45 hryvnia to a bank card № 512345678901234. As soon as we receive the funds, the courier immediately leaves for you.
- Good.
Well, or any other conversation script from social engineering options to scammers.
I recommended limiting the display of this amount of information to unauthorized users, as I occasionally find errors in Internet services, and I believe that this situation is quite real and dangerous, as there are too many available information on the site without restrictions, and scammers who call in are constantly inventing New ways to cheat gullible buyers.
What is nice, the company took my letter into account and fixed the vulnerability (removed the extra fields to display, later added a captcha), and also transferred 2,000 rubles to me as a reward, though not immediately.
To date, the problem is fixed, the information on the site is displayed in a truncated form
spoiler
So that postal services are different.
Source: https://habr.com/ru/post/334782/
All Articles