Black Friday weekend is a time when a surge in the amount of parcel deliveries is expected, given the holiday rush and massive discount sales.
As of today, November 30th 2019 sometime around noon however, I noticed something strange — as a Security Researcher I always strive to. Yodel mobile app for Android which lets you track parcel deliveries scheduled for your address, is showing ‘random’ packages within the app in addition to the ones you’re tracking. Every ‘refresh’ of the feed tends to load new tracking numbers that may have no connection to your address whatsoever (e.g. same building) and that you’ve never tracked in the past or have had any prior knowledge of.
Now, Yodel appears to have a history: the company has often topped the list of worst courier delivery providers in the UK. This does not even include Yodel’s fiasco from 2016 captured on video wherein the workers were ‘mishandling’ packages. But today I uncover a security flaw that has crept into the company’s mobile app.
What information is being revealed?
Users tracking their own package via the Yodel app simply by using the tracking number for that package, are able to see tracking numbers, the name of sending retailer(s) behind a package, the package’s current location on a map, name of the delivery driver, destination of the package (and therefore the recipient’s location), any reference notes left by the customer with regards to the contents of the parcel (e.g. ‘shoes’), and the estimated delivery time — for a parcel not destined or belonging to them. In addition, the app offers options to reschedule or cancel deliveries in some cases using just the tracking number which is now revealed to a user with absolutely no connection to the package.
Why is this a security flaw?
Other than the obvious unintended Information Exposure with regards to the current location and driver associated with a package, as well as a package’s intended destination (recipient’s location) — something which is supposed to be revealed only to a package’s rightful owner, the app lets oneself reschedule deliveries, or instruct the driver to leave them in a “safe place,” such as with a neighbour. The app lets you call or text the driver for deliveries en route.
If someone is feeling a tad adventurous, they could simply cancel an oncoming delivery by tapping the Collect from depot in-app option even though they (should) have no authorisation to take such action. For some packages, a redirection may also be possible via the Change Address option.
What have you done?
I have gone ahead and swiftly notified Yodel via Web Chat and Twitter to correct this bug and a potential security vulnerability as of writing this article. Until then, let’s hope everyone gets their deliveries safely and no one’s is tampered with.
Yodel’s live chat agent stated that “there is no such security bug” in their app after investigating for merely 5 minutes, whereas Yodel has not yet responded to my Twitter Direct Message (DM). Yet multiple Twitter users have confirmed experiencing this issue (scroll below).
Update as of December 3, 2019: Yodel has responded to my Twitter DM stating that the issue has now been resolved.
Any examples?
Absolutely — screenshots below taken on my Android device (Yodel app version 2.5.4_92) appear to show more than they should. I had only been tracking one of the many packages listed here which belonged to me when suddenly, some others started just randomly appearing on my feed within the app upon refresh. I have redacted some sensitive information for packages not belonging to myself.
Apparently, some other customers are experiencing this too:
While the potential for damage arising from a minor security bug like this one may seem negligible, the app still reveals way too much data than necessary and gives control of your precious parcels to unknown parties, should they get tempted to abuse it.
This is yet another lesson in how serious bugs and security flaws can arise from poor design and testing when coding mobile apps.
© 2019. Akshay ‘Ax’ Sharma (Twitter). All Rights Reserved.
