Maksym Yemelyanov - stock.adobe.

DPD delivers swift fix for serious API flaw

API vulnerability potentially left PII on DPD Group’s customers dangerously exposed, but was rapidly fixed on disclosure

Logistics firm DPD Group fixed a potentially serious application programming interface (API) vulnerability that could have allowed any sufficiently tech-savvy user to obtain details of others’ packages, as well as their personal data, in October 2021, it has emerged.

The existence of the vulnerability has now been revealed in a disclosure published by ethical hackers Pen Test Partners, a security consultancy with offices in the UK and US, that last year uncovered a serious flaw affecting users of Brewdog’s mobile app.

The vulnerability existed in how DPD enables customers to track their packages while they are in transit, using a unique parcel code. When passed a parcel code, the DPD API call directed to an OpenStreetMap extract highlighting the destination address. This could then be easily used to identify a postcode. With both of these pieces of information, a determined attacker could in theory have used the resulting session token to view the underlying JSON, giving them access to the recipient’s personally identifiable information (PII), significantly, their contact details.

Pen Test Partners’ hacker used the firm’s Buckinghamshire office as an example, but also tested several different parcel codes with the recipient’s permission, and in each case said they were able to successfully locate the data.

The chain of events detailed by Pen Test Partners relies on a very specific set of circumstances unfolding, so it is unlikely that anybody who had packages delivered via DPD had their details compromised in this manner. Nevertheless, the technical fact of the data exposure is significant.

Pen Test Partners said that on being contacted, DPD responded immediately through appropriate channels, and fixed the vulnerability within a week. The firm also requested a delay in disclosure until now to more thoroughly investigate, review and secure its environment.

The hacker behind the disclosure wrote: “The disclosure experience was very positive, which made a refreshing change! Working with DPD Group on this disclosure was easy, clear, and unfettered by politics. They have a great vulnerability disclosure programme and fixed things fast. Seriously impressed.”

Cybersmart’s Jamie Akhtar said the cautionary tale illustrated the importance of conducting regular penetration testing exercises, and in reacting openly and quickly, DPD may have averted a worst-case scenario.

“Parcel companies are [some] of the most imitated by cyber criminals for phishing scams,” he said. “This situation could easily have led to a successful scam on the scale of the Royal Mail incident last year.”

Trevor Morgan, Comforte AG product manager, added: “You can try to plug every single ingress and egress point, but threat actors are always looking for the one simple flaw that will gain them access to your sensitive enterprise data.

“We all have to remember that data is their target, so the smart, proactive organisation needs to account for hackers finding a way into the data ecosystem and actually getting their hands on it. Inevitably, they can and will find that flaw you’ve overlooked.”

Read more on Web application security