Security News > 2022 > February > DPD Group parcel tracking flaw may have exposed customer data
An unauthenticated API call vulnerability in DPD Group's package tracking system could have been exploited to access the personally identifiable details of its clients.
DPD Group is a parcel delivery service with a global presence, shipping around two billion parcels annually worldwide.
To track the status and position of their parcel, customers are expected to enter a parcel code and postcode, and if they match a valid entry in the database, they are authorized to view the shipping details.
Researchers at Pen Test Partners explored the system and found that they could try out parcel codes on API calls and get back OpenStreetMap addresses with the recipient's position on the map.
Holding a valid parcel code and a matching postcode, an unauthorized individual could access someone else's tracking page displaying delivery information.
We have reached out to DPD Group to request more information on the API flaw and its potential impact on customers, but we have not heard back from the firm yet.