Does this PBT security vulnerability matter?

Forums › IT Pro and developers › Does this PBT security vulnerability matter?

backfiah

219 posts

Master Geek

#249226 1-May-2019 17:51

Before anyone asks, I reported this to PBT on 26th March and had no reply.

Recently when trying to find a way to automatically get updates on my parcel process with PBT, I discovered a way in which the receiver and destination of any given tracking number can be obtained, simply by feeding the tracking no in to: http://www.pbt.co.nz/cgi-bin/fcisapi.dll?w3exec=webPBtrack&w3ServerPool=pbtclive&webvalue=TRACKINGNO

For example, using wget or curl with http://www.pbt.co.nz/cgi-bin/fcisapi.dll?w3exec=webPBtrack&w3ServerPool=pbtclive&webvalue=II12345678 (or even just "view source" in a web browser) shows you that the parcel was being sent to Just Jeans in timaru. I purposefully show a commercial address here, as if you input a tracking no for a residential destination, you get the person's full name as well as their address.

How serious is this? I can imagine it could be abused if someone knew what tracking nos were likely to be used next (and in fact, I know a few prefixes where its easy to tell...), since that would provide an easy way to find out which addresses were likely to receive unattended parcels...

Given that PBT didn't bother to get back to me, I'd like some feedback around whether to cause any further noise about this. Also, by posting this (semi-) publicly, maybe they'll take it a bit more seriously?

Behodar

10508 posts

Uber Geek

Trusted

Lifetime subscriber

#2228892 1-May-2019 17:59

That second link is going to a blank page for me (there's some JavaScript on it, but no content).

backfiah

219 posts

Master Geek

#2228893 1-May-2019 18:02

Behodar:

That second link is going to a blank page for me (there's some JavaScript on it, but no content).

The address is inside the JavaScript callback. If you're on chrome: view-source:http://www.pbt.co.nz/cgi-bin/fcisapi.dll?w3exec=webPBtrack&w3ServerPool=pbtclive&webvalue=II12345678

Behodar

10508 posts

Uber Geek

Trusted

Lifetime subscriber

#2228895 1-May-2019 18:06

Ah, you're right! Sorry; the browser I'm using doesn't wrap the source by default and I didn't realise that there was anything of value in there.

It does seem like a vulnerability; even matching names to addresses is presumably a privacy violation even if you have to guess a tracking number.

Noviota

85 posts

Master Geek

Trusted

#2228907 1-May-2019 18:39

I would suggest you reach out to CERT NZ.

jhmenz

1 post

Wannabe Geek

#2233559 9-May-2019 11:31

The entire system is open. If you go the the tracker on their website and plug in a ticket number you can see all the info (try clicking the map link!). And after you've seen that, there's a handy button to browse through more tickets in the series.

I can't see you'll get much traction. This seems to be a long standing issue! Article here from 5 years ago describing it https://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11283853

backfiah

219 posts

Master Geek

#2233572 9-May-2019 11:39

jhmenz:

The entire system is open. If you go the the tracker on their website and plug in a ticket number you can see all the info (try clicking the map link!). And after you've seen that, there's a handy button to browse through more tickets in the series.

I can't see you'll get much traction. This seems to be a long standing issue! Article here from 5 years ago describing it https://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11283853

The map link doesn't work for me (un?)fortunately. I've reached out to CERT who are treating it as an "incident", but we'll see how far that goes...

Perhaps the privacy commissioner may be interested?

insane

3240 posts

Uber Geek

ID Verified

Trusted

#2233579 9-May-2019 11:47

I'm guessing their logic is that if you have the tracking number in your hand, then you probably also have the parcel in your hands.

If you have the parcel, the recipient name and address is normally written on it too anyway.

Only flaw I see here is that it's too easy to find out who other customers of a business are as tickets are generally printed in sequence.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

davidrg

67 posts

Master Geek

#2233691 9-May-2019 13:51

DSE sent my pixel 3 via PBT last year and they emailed me a tracking number as expected. The PBT tracking tool let me browse from tracking that specific package to viewing all the other packages in that consignment. IIRC this included destination addresses and delivery status for all the other pixel 3s DSE was shipping to NZ customers.

Ford

330 posts

Ultimate Geek
Inactive user

#2237025 14-May-2019 22:19

You could try the Department of Internal Affairs, I have reported various issues to CERT but they don't do anything about them.

But the DIA might, or maybe Internet NZ

Ford

insane

3240 posts

Uber Geek

ID Verified

Trusted

#2237076 15-May-2019 00:46

davidrg:
DSE sent my pixel 3 via PBT last year and they emailed me a tracking number as expected. The PBT tracking tool let me browse from tracking that specific package to viewing all the other packages in that consignment. IIRC this included destination addresses and delivery status for all the other pixel 3s DSE was shipping to NZ customers.

Was thinking about this more. A nefarious 'removals expert' could so easily order something, then troll through all the other labels and create a shopping list when they find worthwhile items.

If you know the delivery date they could be stolen from your doorstep.

This is really poor form! The delivery address and name shouldn't be public.

Privacy commissioner won't be pleased!