Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




122 posts

Master Geek


# 249226 1-May-2019 17:51
Send private message

Before anyone asks, I reported this to PBT on 26th March and had no reply.

 

Recently when trying to find a way to automatically get updates on my parcel process with PBT, I discovered a way in which the receiver and destination of any given tracking number can be obtained, simply by feeding the tracking no in to: http://www.pbt.co.nz/cgi-bin/fcisapi.dll?w3exec=webPBtrack&w3ServerPool=pbtclive&webvalue=TRACKINGNO

 

For example, using wget or curl with http://www.pbt.co.nz/cgi-bin/fcisapi.dll?w3exec=webPBtrack&w3ServerPool=pbtclive&webvalue=II12345678 (or even just "view source" in a web browser) shows you that the parcel was being sent to Just Jeans in timaru. I purposefully show a commercial address here, as if you input a tracking no for a residential destination, you get the person's full name as well as their address.

 

How serious is this? I can imagine it could be abused if someone knew what tracking nos were likely to be used next (and in fact, I know a few prefixes where its easy to tell...), since that would provide an easy way to find out which addresses were likely to receive unattended parcels...

 

Given that PBT didn't bother to get back to me, I'd like some feedback around whether to cause any further noise about this. Also, by posting this (semi-) publicly, maybe they'll take it a bit more seriously? 

 

  


Create new topic
6763 posts

Uber Geek

Trusted
Lifetime subscriber

  # 2228892 1-May-2019 17:59
Send private message

That second link is going to a blank page for me (there's some JavaScript on it, but no content).




122 posts

Master Geek


  # 2228893 1-May-2019 18:02
Send private message

Behodar:

 

That second link is going to a blank page for me (there's some JavaScript on it, but no content).

 

 

The address is inside the JavaScript callback. If you're on chrome: view-source:http://www.pbt.co.nz/cgi-bin/fcisapi.dll?w3exec=webPBtrack&w3ServerPool=pbtclive&webvalue=II12345678 


 
 
 
 


6763 posts

Uber Geek

Trusted
Lifetime subscriber

  # 2228895 1-May-2019 18:06
One person supports this post
Send private message

Ah, you're right! Sorry; the browser I'm using doesn't wrap the source by default and I didn't realise that there was anything of value in there.

 

It does seem like a vulnerability; even matching names to addresses is presumably a privacy violation even if you have to guess a tracking number.


76 posts

Master Geek

Trusted

  # 2228907 1-May-2019 18:39
8 people support this post
Send private message

I would suggest you reach out to CERT NZ.


1 post

Wannabe Geek


  # 2233559 9-May-2019 11:31
Send private message

The entire system is open. If you go the the tracker on their website and plug in a ticket number you can see all the info (try clicking the map link!). And after you've seen that, there's a handy button to browse through more tickets in the series.

 

 

 

I can't see you'll get much traction. This seems to be a long standing issue! Article here from 5 years ago describing it https://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11283853




122 posts

Master Geek


  # 2233572 9-May-2019 11:39
Send private message

jhmenz:

 

The entire system is open. If you go the the tracker on their website and plug in a ticket number you can see all the info (try clicking the map link!). And after you've seen that, there's a handy button to browse through more tickets in the series.

 

 

 

I can't see you'll get much traction. This seems to be a long standing issue! Article here from 5 years ago describing it https://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11283853

 

 

The map link doesn't work for me (un?)fortunately. I've reached out to CERT who are treating it as an "incident", but we'll see how far that goes...

 

Perhaps the privacy commissioner may be interested?


2401 posts

Uber Geek

Trusted
Subscriber

  # 2233579 9-May-2019 11:47
Send private message

I'm guessing their logic is that if you have the tracking number in your hand, then you probably also have the parcel in your hands.

If you have the parcel, the recipient name and address is normally written on it too anyway.

Only flaw I see here is that it's too easy to find out who other customers of a business are as tickets are generally printed in sequence.

 
 
 
 


49 posts

Geek


  # 2233691 9-May-2019 13:51
Send private message

DSE sent my pixel 3 via PBT last year and they emailed me a tracking number as expected. The PBT tracking tool let me browse from tracking that specific package to viewing all the other packages in that consignment. IIRC this included destination addresses and delivery status for all the other pixel 3s DSE was shipping to NZ customers.


435 posts

Ultimate Geek

Subscriber

  # 2237025 14-May-2019 22:19
Send private message

You could try the Department of Internal Affairs, I have reported various issues to CERT but they don't do anything about them.

 

But the DIA might, or maybe Internet NZ

 

Ford

 

 

 

 


2401 posts

Uber Geek

Trusted
Subscriber

  # 2237076 15-May-2019 00:46
Send private message

davidrg:

DSE sent my pixel 3 via PBT last year and they emailed me a tracking number as expected. The PBT tracking tool let me browse from tracking that specific package to viewing all the other packages in that consignment. IIRC this included destination addresses and delivery status for all the other pixel 3s DSE was shipping to NZ customers.



Was thinking about this more. A nefarious 'removals expert' could so easily order something, then troll through all the other labels and create a shopping list when they find worthwhile items.

If you know the delivery date they could be stolen from your doorstep.

This is really poor form! The delivery address and name shouldn't be public.

Privacy commissioner won't be pleased!

Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Microsoft launches first Experience Center worldwide for Asia Pacific in Singapore
Posted 13-Nov-2019 13:08


Disney+ comes to LG Smart TVs
Posted 13-Nov-2019 12:55


Spark launches new wireless broadband "Unplan Metro"
Posted 11-Nov-2019 08:19


Malwarebytes overhauls flagship product with new UI, faster engine and lighter footprint
Posted 6-Nov-2019 11:48


CarbonClick launches into Digital Marketplaces
Posted 6-Nov-2019 11:42


Kordia offers Microsoft Azure Peering Service
Posted 6-Nov-2019 11:41


Spark 5G live on Auckland Harbour for Emirates Team New Zealand
Posted 4-Nov-2019 17:30


BNZ and Vodafone partner to boost NZ Tech for SME
Posted 31-Oct-2019 17:14


Nokia 7.2 available in New Zealand
Posted 31-Oct-2019 16:24


2talk launches Microsoft Teams Direct Routing product
Posted 29-Oct-2019 10:35


New Breast Cancer Foundation app puts power in Kiwi women's hands
Posted 25-Oct-2019 16:13


OPPO Reno2 Series lands, alongside hybrid noise-cancelling Wireless Headphones
Posted 24-Oct-2019 15:32


Waikato Data Scientists awarded $13 million from the Government
Posted 24-Oct-2019 15:27


D-Link launches Wave 2 Unified Access Points
Posted 24-Oct-2019 15:07


LG Electronics begins distributing the G8X THINQ
Posted 24-Oct-2019 10:58



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.