All your parcel are belong to us

This talk shows flaws in the implementation of parcel tracking at a well-known parcel service that put customer data at risk. It demonstrates how wrong assumptions about defense mechanisms and OSINT can lead to an easily exploitable web app.

In this talk we will give some basic insights about parcel tracking, such as:

• How do tracking numbers work?
• How are they generated?
• How are parcels distributed?

Afterwards, we show how customer data is protected and highlight why these mechanisms are flawed. Here, one focus is anti-bot detection and why it can be circumvented easily.

After describing the attack, we show how our attack can be prevented - or at least impeded.

At the end of the talk DHL will present how they experienced the disclosure process, implemented measures and some additional infos.