Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




114 posts

Master Geek
+1 received by user: 27


# 249226 1-May-2019 17:51
Send private message quote this post

Before anyone asks, I reported this to PBT on 26th March and had no reply.

 

Recently when trying to find a way to automatically get updates on my parcel process with PBT, I discovered a way in which the receiver and destination of any given tracking number can be obtained, simply by feeding the tracking no in to: http://www.pbt.co.nz/cgi-bin/fcisapi.dll?w3exec=webPBtrack&w3ServerPool=pbtclive&webvalue=TRACKINGNO

 

For example, using wget or curl with http://www.pbt.co.nz/cgi-bin/fcisapi.dll?w3exec=webPBtrack&w3ServerPool=pbtclive&webvalue=II12345678 (or even just "view source" in a web browser) shows you that the parcel was being sent to Just Jeans in timaru. I purposefully show a commercial address here, as if you input a tracking no for a residential destination, you get the person's full name as well as their address.

 

How serious is this? I can imagine it could be abused if someone knew what tracking nos were likely to be used next (and in fact, I know a few prefixes where its easy to tell...), since that would provide an easy way to find out which addresses were likely to receive unattended parcels...

 

Given that PBT didn't bother to get back to me, I'd like some feedback around whether to cause any further noise about this. Also, by posting this (semi-) publicly, maybe they'll take it a bit more seriously? 

 

  


Create new topic
6634 posts

Uber Geek
+1 received by user: 1324

Trusted
Lifetime subscriber

  # 2228892 1-May-2019 17:59
Send private message quote this post

That second link is going to a blank page for me (there's some JavaScript on it, but no content).




114 posts

Master Geek
+1 received by user: 27


  # 2228893 1-May-2019 18:02
Send private message quote this post

Behodar:

 

That second link is going to a blank page for me (there's some JavaScript on it, but no content).

 

 

The address is inside the JavaScript callback. If you're on chrome: view-source:http://www.pbt.co.nz/cgi-bin/fcisapi.dll?w3exec=webPBtrack&w3ServerPool=pbtclive&webvalue=II12345678 


 
 
 
 


6634 posts

Uber Geek
+1 received by user: 1324

Trusted
Lifetime subscriber

  # 2228895 1-May-2019 18:06
One person supports this post
Send private message quote this post

Ah, you're right! Sorry; the browser I'm using doesn't wrap the source by default and I didn't realise that there was anything of value in there.

 

It does seem like a vulnerability; even matching names to addresses is presumably a privacy violation even if you have to guess a tracking number.


76 posts

Master Geek
+1 received by user: 9

Trusted

  # 2228907 1-May-2019 18:39
8 people support this post
Send private message quote this post

I would suggest you reach out to CERT NZ.


1 post

Wannabe Geek


  # 2233559 9-May-2019 11:31
Send private message quote this post

The entire system is open. If you go the the tracker on their website and plug in a ticket number you can see all the info (try clicking the map link!). And after you've seen that, there's a handy button to browse through more tickets in the series.

 

 

 

I can't see you'll get much traction. This seems to be a long standing issue! Article here from 5 years ago describing it https://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11283853




114 posts

Master Geek
+1 received by user: 27


  # 2233572 9-May-2019 11:39
Send private message quote this post

jhmenz:

 

The entire system is open. If you go the the tracker on their website and plug in a ticket number you can see all the info (try clicking the map link!). And after you've seen that, there's a handy button to browse through more tickets in the series.

 

 

 

I can't see you'll get much traction. This seems to be a long standing issue! Article here from 5 years ago describing it https://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11283853

 

 

The map link doesn't work for me (un?)fortunately. I've reached out to CERT who are treating it as an "incident", but we'll see how far that goes...

 

Perhaps the privacy commissioner may be interested?


2355 posts

Uber Geek
+1 received by user: 413

Trusted
Subscriber

  # 2233579 9-May-2019 11:47
Send private message quote this post

I'm guessing their logic is that if you have the tracking number in your hand, then you probably also have the parcel in your hands.

If you have the parcel, the recipient name and address is normally written on it too anyway.

Only flaw I see here is that it's too easy to find out who other customers of a business are as tickets are generally printed in sequence.

 
 
 
 


49 posts

Geek
+1 received by user: 10


  # 2233691 9-May-2019 13:51
Send private message quote this post

DSE sent my pixel 3 via PBT last year and they emailed me a tracking number as expected. The PBT tracking tool let me browse from tracking that specific package to viewing all the other packages in that consignment. IIRC this included destination addresses and delivery status for all the other pixel 3s DSE was shipping to NZ customers.


391 posts

Ultimate Geek
+1 received by user: 11


  # 2237025 14-May-2019 22:19
Send private message quote this post

You could try the Department of Internal Affairs, I have reported various issues to CERT but they don't do anything about them.

 

But the DIA might, or maybe Internet NZ

 

Ford

 

 

 

 


2355 posts

Uber Geek
+1 received by user: 413

Trusted
Subscriber

  # 2237076 15-May-2019 00:46
Send private message quote this post

davidrg:

DSE sent my pixel 3 via PBT last year and they emailed me a tracking number as expected. The PBT tracking tool let me browse from tracking that specific package to viewing all the other packages in that consignment. IIRC this included destination addresses and delivery status for all the other pixel 3s DSE was shipping to NZ customers.



Was thinking about this more. A nefarious 'removals expert' could so easily order something, then troll through all the other labels and create a shopping list when they find worthwhile items.

If you know the delivery date they could be stolen from your doorstep.

This is really poor form! The delivery address and name shouldn't be public.

Privacy commissioner won't be pleased!

Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Dunedin selects Telensa to deliver smart street lighting for 15,000 LEDs
Posted 18-Jul-2019 10:21


Sprint announces a connected wallet card with built-in IoT support
Posted 18-Jul-2019 08:36


Educational tool developed at Otago makes international launch
Posted 17-Jul-2019 21:57


Symantec introduces cloud access security solution
Posted 17-Jul-2019 21:48


New Zealand government unveils new digital service to make business easier
Posted 16-Jul-2019 17:35


Scientists unveil image of quantum entanglement
Posted 13-Jul-2019 06:00


Hackers to be challenged at University of Waikato
Posted 12-Jul-2019 21:34


OPPO Reno Z now available in New Zealand
Posted 12-Jul-2019 21:28


Sony introduces WF-1000XM3 wireless headphones with noise cancellation
Posted 8-Jul-2019 16:56


Xero announces new smarter tools, push into the North American market
Posted 19-Jun-2019 17:20


New report by Unisys shows New Zealanders want action by social platform companies and police to monitor social media sites
Posted 19-Jun-2019 17:09


ASB adds Google Pay option to contactless payments
Posted 19-Jun-2019 17:05


New Zealand PC Market declines on the back of high channel inventory, IDC reports
Posted 18-Jun-2019 17:35


Air New Zealand uses drones to inspect aircraft
Posted 17-Jun-2019 15:39


TCL Electronics launches its first-ever 8K TV
Posted 17-Jun-2019 15:18



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.