Proof-of-delivery photos for many Amazon packages publicly accessible for months - Action News
Home WebMail Friday, November 22, 2024, 11:01 AM | Calgary | -10.8°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
New Brunswick

Proof-of-delivery photos for many Amazon packages publicly accessible for months

The New Brunswick company BNI's tracking and delivery notices including photos of the delivered packages, exactGPS co-ordinates and time of thedelivery were publicly accessible to anyone with a computer.

BNI tracking database was publicly accessible, but did not include payment or credit card info

A compilation of two proof-of-delivery photos and tracking information.
Photos obtained by CBC before BNI's unsecured tracking database was made inaccessible show it was easy to see delivery photos and details. (CBC)

People who received an Amazon package delivered by the New Brunswick-basedcompany BNIin the last few months likely had photos of their front doors accessible online, in the latest example of a type of privacy breach that cybersecurity experts know all too well.

Maxime St-Pierre, afreelance web developer, discovered that a database ofBNI tracking and delivery notices including proof-of-deliveryphotos, exactGPS co-ordinates and time of thedelivery were publicly accessible to anyone with a computer.

"I just stumbled on it," said St-Pierre, who was curious about the tracking softwarewhen he got his own package delivered by BNI.

Names arenot included in the database, norpayment and credit card information, but somedelivery photos show the shipping label, which includes names and addresses of the receiver.

BNI, also known as Brunswick News Inc., was ownedby J.D. Irving Ltd. until Postmediaacquired it last year. The company delivers Amazon packages not just across New Brunswick, but in other provinces, including Ontario, Quebec, Nova Scotiaand Prince Edward Island.

In a statement, Postmedia spokespersonPhylliseGelfand said the company "was recently made aware" of the issue.

The so-called "S3 bucket" database where BNI stores all of its tracking and delivery information was misconfiguredto be public, which it should have been set to private,St-Pierre said.

A worker adds a label to a shipment box in a warehouse.
BNI was owned formerly owned by J.D. Irving Ltd, before Postmedia acquired the company in 2022. It delivers Amazon packages in New Brunswick and in other provinces, including Ontario and Prince Edward Island. (Evan Mitsui/CBC)

"We immediately shut down access to these files and within hours implemented a permanent solution. Only the individual customers can now see their delivery photos," she said.

"The images may display, at most, name and address, and perhaps identify the vendor."

Edit an URL, find a package?

The company's tracking numbers are sequential, so if someone had one tracking number, they couldchange a few digits and get someone else's tracking information.

With some trial and error, someone could have identified the most recent deliveries, their locations and the time the photo was taken.

With minimum software knowledge, people were able toedit the URL in a browser and find the root list of every entry in the database, St-Pierre said, which is how he found it.

He said in a secured database, access would be denied.

St-Pierre said the database service BNI is using is public by default, so he's seen this issue many times before. He said this showshow important it is to always check possible privacy breaches, and continually perform security audits.

"They're just low hanging fruit.If somebody can find them in 15 minutes, what can they find if they had, like, four,eight, 12 hours?" he said.

Tried to contact company first

St-Pierre said he stumbled on this unsecured database two months ago, and tried to contact BNI and alert them of the issue.

But his emails and calls went unanswered, and he finally on Wednesday posted the discovery online to warn people.

Within four hours, BNI took down the tracking website.

Gelfand said thecompany is still looking intohow long this has been an issue.

"As you know, Postmedia acquired the business in March 2022 and is currently rolling the acquired platforms into our audited security practice," she said.

She said if customers have concerns, they can contact Postmedia'sprivacy officer.

St-Pierre said he is glad the company made the changes quickly.

"I've seen companies that do not take actions for weeks and weeks But in this case got to give them credit where credit is due."

Effect on customers can't be easily known

Cybersecurity expert David Shipley said these types of database breaches are very common, and this is not even close to the worst instance.

In 2019, Capital One Financial's database was breachedbecause of an improperly secured S3 database.

Cybersecurity expert David Shipley says this kind of database leak is common. (Jonathan Collicott/CBC)

Shipley said it's difficult to say exactly what impact BNI's unsecured database could haveon customers, because he doesn't know if the database was in fact accessed by anyone with nefarious intent.

"Were people actually affected or was the door just left wide open?" he said.

He said there are logs that could show irregular activity and help answer that question.

The fact that payment information and the details of package contents were not in the databaseis good news,he said.

Add some good to your morning and evening.

Get the latest top stories from across New Brunswick in your inbox every weekday.

...

The next issue of CBC New Brunswick newsletter will soon be in your inbox.

Discover all CBC newsletters in theSubscription Centre.opens new window

This site is protected by reCAPTCHA and the Google Privacy Policy and Google Terms of Service apply.