Tracking Flaw May Have Exposed Customer Data

DPDgroup is a package delivery business that operates on a global scale. DPD is an abbreviation for Dynamic Parcel Distribution, which comprises trademarks such as DPD, Colissimo, Chronopost, Seur, and BRT, among others. The company is established in France and is primarily involved in the expedited road-based transportation sector.

What Happened?

Customers are required to input a parcel number and a postcode in order to monitor the status and location of their package, and if the information they provide matches a legitimate record in the database, they will be granted access to the shipping information.

Researchers from Pen Test Partners investigated the system and discovered that they could use parcel codes to make API calls and get back OpenStreetMap addresses along with the recipient’s location on a map as a result.

An unauthenticated API call was identified in DPD Group’s public API that could allow a user with a valid package ID to, with some basic OSINT, discover the package’s destination postcode and thus obtain all details about the package.

DPD Group were prompt in the triage and resolution of the vulnerability, which was fixed in October 2021.


In spite of the fact that the call resulted

Read More: