fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

DPD Group Parcel Tracking Flaw may Have Exposed Customer Data

DPD Group Parcel Tracking Flaw may Have Exposed Customer Data

An unauthenticated API call vulnerability in DPD Group’s package tracking system could have been exploited to access the personally identifiable details of its clients.

DPD Group is a parcel delivery service with a global presence, shipping around two billion parcels annually worldwide.

To track the status and position of their parcel, customers are expected to enter a parcel code and postcode, and if they match a valid entry in the database, they are authorized to view the shipping details.

Also Read: A guide to Singapore’s Do Not Call Registry

Accessing recipient’s details

Researchers at Pen Test Partners explored the system and found that they could try out parcel codes on API calls and get back OpenStreetMap addresses with the recipient’s position on the map.

API call returning customer's position
API call returning customer’s position
Source: PTP

Although the call returned just a screenshot of the map, it is fairly easy to derive the postcode in most cases by using the street names depicted on the picture.

Holding a valid parcel code and a matching postcode, an unauthorized individual could access someone else’s tracking page displaying delivery information.

Viewing the tracking details of someone else's parcel
Viewing the tracking details of someone else’s parcel
Source: PTP

With the valid session token granted, one can view the underlying JSON data, including that person’s full name, email address, mobile phone number, and more.

Also Read: October 2021 PDPC Incidents and Undertaking: Lessons from the Cases

Accessing custom details
Accessing custom details
Source: PTP

Remediation and impact

Pen Test Partners discovered the problem on September 02, 2021, and alerted DPD immediately. The firm evaluated the issue for a month and eventually pushed a fix on October 2021.

As such, the API access vulnerability remained available for exploitation for at least a month, but the window of opportunity was probably much more extensive.

Although the researchers likely were the first to discover this, the scenario of “silent” long-term abuse cannot be excluded.

The way this API attack worked is random, as one cannot guess parcel numbers for given identities, but it would still be useful in the hands of phishing actors.

Knowing the shipping status details and the matching contact details sets the stage for a successful phishing attack.

Parcel delivery service providers were the most imitated type of companies by phishing campaigns at the end of 2021, so this is already a highly-targeted sector.

We have reached out to DPD Group to request more information on the API flaw and its potential impact on customers, but we have not heard back from the firm yet.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us