DPD Group’s package tracking system had an unauthenticated API call vulnerability that may have been abused to get access to its clients’ personally identifiable information. DPD Group is a multinational package delivery business that ships around two billion goods each year. Customers must input a parcel code and postcode to follow the progress and location of their package. If they match a legitimate record in the database, they can access the shipment details.
Pen Test Partners researchers looked into the system and discovered that they could use parcel codes in API requests to acquire OpenStreetMap addresses with the recipient’s location on the map. Although the call only provided a snapshot of the map, given the street names represented on the photo, it is usually quite straightforward to deduce the postcode. An unauthorized user might access someone else’s tracking page displaying delivery details if they had a valid package number and a matching postcode.
The underlying JSON data, including that person’s complete name, email address, cell phone number, and more, maybe seen with the valid session token. On September 2, 2021, Pen Test Partners found the issue and promptly notified DPD. After a month of investigation, the company released a fix in October 2021.
As a result, the API access vulnerability was exploitable for at least a month, albeit the window of opportunity was likely considerably longer. Although the researchers were most likely the first to notice it, the possibility of “silent” long-term misuse cannot be ruled out. Although the method of this API attack is random because parcel numbers for given identities cannot be predicted, it might nevertheless be beneficial in the hands of phishing attackers.
Knowing the shipment status and the contact information for the shipping status lays the scenario for a successful phishing attack. At the end of 2021, phishing efforts made parcel delivery service providers the most imitated type of businesses, indicating that this is already a highly targeted industry. When DPD Group was contacted for further information about the API problem and its possible impact on consumers, the company did not respond.