About four months ago, I ordered a new TV directly from Samsung’s online store. A few days later, I received a tracking link via email.
Reusing Tracking Numbers
When I first received the link, it showed an order that wasn’t my own. I assumed there was some sort of clerical error, but I was too busy at the time to contact Samsung about it. When I checked back later in the day, there were now two orders showing at the link Samsung sent me — my own, and the other order.
I was a little concerned by the fact that my tracking number showed two orders, so I contacted Samsung to find out what was going on. I received the following reply.
I understand you are concerned with your tracking. AGS recycles their tracking numbers every year which is why you see more than one orders under the same tracking number. Your tracking has been updated and is the first listed. We apologize for any inconveniences that may have impacted your experience with Samsung. We at Samsung appreciate your business, and we sincerely hope that this situation doesn’t deter you from continuing to purchase products of the Samsung brand. If you have any other questions or concerns please email me back.
This already seemed a bit odd — Samsung is telling me not to worry about this, their shipper just happens to reuse tracking numbers annually. These orders were clearly shipped days apart.
Leaking Order Information
When I clicked one of the HAWB (House Airway Bill) links, it took me to the tracking details for my own order.
This is indeed my order . A 60" SAMSUNG TV shipping to Orchard Park, NY, POD (Proof Of Delivery) Metzger. It even has my order number from the Samsung website (11109231971). That seems like an awful lot of information to expose to an unauthenticated user.
Wait a minute… weren’t there two links on that page? I went back to the page (which Samsung sent me a link to) and clicked the other HAWB link. Now I’m looking at all of the same order information for someone else’s order. (I’m a little jealous, they ordered a bigger TV.)
If Samsung sent me a link to view someone else’s order, then surely that guy can also see my order.
Enumerable Tracking IDs
This was already rather disappointing. All someone needs is the tracking URL that Samsung sent me, and they can see a lot of my order details (and someone else’s order details).
In some cases, applications use secret URLs for sensitive functions (ie. password reset URLs delivered via email.) This is not one of those cases. My tracking URL was surely delivered to someone else with the same ID — it has already lost any notion of secrecy.
Even if someone else hadn’t received the same tracking URL, this link still cannot be considered secret. Notice the only special part about the link is a relatively low integer (1138977). That, coupled with the fact that Samsung told me that the shipper “recycles their tracking numbers every year” makes it obvious that these IDs are sequentially assigned.
All it takes is knowledge of one tracking URL and you can walk through all of the tracking IDs sequentially. With about five minutes of scripting, someone could scrape the data of every Samsung shipment, yielding:
- Orderer’s Last Name
- Orderer’s City
- Item Ordered
- Order Number
Exploiting The Data
Let’s think about how dangerous it is just to leak these four pieces of information to someone with malicious intent. Since we have a last name and city, a quick internet search would yield possible phone numbers for the orderer.
Once we have a list of potential phone numbers, we put on our social engineering hat and call each one.
Hello, this is Bob from Samsung. Can I please speak with Mr. Metzger regarding his recent order for a 60" Samsung TV.
If they say they didn’t order anything, hang up and move on to the next phone number. If it sounds like like they know what we’re talking about, give a little more information so they know this call is legit.
Just to make sure I'm looking at the right order - would you mind confirming that your order number is 1138977?
We have our foot in the door and we’ve made it clear that we are legitimately calling from Samsung (surely a scammer wouldn’t know their order number and what they ordered?)
It’s time to exploit this trust and extract payment details with an offer that can’t be passed up.
-> If they ordered a small tv:
We're sorry for the inconvenience - there has been an accident at our shipper's facility, damaging an entire shipment of 50" TVs. It will be approximately two weeks before we have more of this model in stock. As a consolation, we would like to offer you an upgrade to a 65" TV - which we currently have in stock - for $49.
-> If they ordered a large tv:
We're sorry for the inconvenience - due to a glitch in our online store, our promotional warranty prices weren't showing for your model when you made your purchase. Your model is eligible for a 3 Year Accidental Damage Plan for only $29.
-> If they took the bait:
Great! Sorry again about the inconvenience. We'll just need your payment information again - we don't keep records of it when you order because PCI compliance.
You get the idea — it’s seriously easy to turn these four pieces of information into a rather convincing social engineering attack.
The Leak Gets Bigger
After my TV was delivered, I went back to check the tracking status — hoping that this was just a ephemeral leak while the shipment was en route, disappearing after I received the delivery.
I found the exact opposite. Not only was the order information still there — but now there was a link to a TIFF file too.
That TIFF file turned out to be a scanned copy of the signed waybill for the delivery.
They were already leaking enough information for a social engineering attack — now they’re leaking even more pieces.
- My Full Name
- My Full Address
- My Signature (well, actually my wife’s)
All of this information was obtained directly from a link that Samsung sent to me— but you don’t have to buy something from Samsung to find a link to the tracking system. It turns out Google has already indexed some queries for airway bills.
Even if the shipping company gets these removed from Google, it’s still not too difficult to find these items. They have a form to search for tracking numbers.
The form makes it obvious this should be a seven digit number. Starting with 0000001 takes us to familiar search results:
At this point, there is no question about it — information in this system is not secret. Links are sent directly to consumers, links are indexed in google, and there is an open form on the website for performing searches.
I didn’t like the fact that all of this information was freely available to anyone willing to spend a couple minutes to scrape data, so I responded back to Samsung again. I informed them that my personal information was being shared via their shipper’s website. I included descriptions of each piece of information, with direct links to it. I also informed them that the data was easily enumerable because it uses sequential IDs — and I requested that they loop in their information security team.
Two weeks later, I received a response from Samsung:
I understand you would like this forward to our security team. Your request will need to be taken up with AGS. You will need to remove your information through AGS. We apologize for any inconveniences that may have impacted your experience with Samsung. We at Samsung appreciate your business, and we sincerely hope that this situation doesn’t deter you from continuing to purchase products of the Samsung brand.
That’s it. Samsung says I need to take it up with their shipper.
That is not going to happen. I entrusted Samsung with my data, and that is who I hold solely responsible for safeguarding it. If Samsung’s business partner is leaking that information, Samsung needs to remedy the situation.
As I was writing this up, I was going to redact some of my information (or at least my wife’s signature) but it wouldn’t make much of a difference. Four months after I disclosed this to Samsung, the information is still there for anyone to retrieve. Please don’t try to sell me a warranty for my tv.