About four months ago, I ordered a new TV directly from Samsung’s . A few days later, I received a tracking link via email. online store http://www.agsystems.com/listhawb.asp?searchtype=hawb&searchvalue=1138977 Reusing Tracking Numbers When I first received the link, it showed an order that wasn’t my own. I assumed there was some sort of clerical error, but I was too busy at the time to contact Samsung about it. When I checked back later in the day, there were now orders showing at the link Samsung sent me — my own, and the other order. two I was a little concerned by the fact that my tracking number showed two orders, so I contacted Samsung to find out what was going on. I received the following reply. I understand you are concerned with your tracking. AGS recycles their tracking numbers every year which is why you see more than one orders under the same tracking number. Your tracking has been updated and is the first listed. We apologize for any inconveniences that may have impacted your experience with Samsung. We at Samsung appreciate your business, and we sincerely hope that this situation doesn’t deter you from continuing to purchase products of the Samsung brand. If you have any other questions or concerns please email me back. This already seemed a bit odd — Samsung is telling me not to worry about this, their shipper just happens to reuse tracking numbers annually. These orders were clearly shipped days apart. Leaking Order Information When I clicked one of the HAWB (House Airway Bill) links, it took me to the tracking details for my own order. There sure is a lot of information about me there… This is indeed my order . A shipping to , POD (Proof Of Delivery) . It even has my order number from the Samsung website ( ). That seems like an awful lot of to expose to an unauthenticated user. 60" SAMSUNG TV Orchard Park, NY Metzger 11109231971 information Wait a minute… weren’t there links on that page? I went back to the page (which Samsung ) and clicked the other HAWB link. Now I’m looking at all of the same order information for someone else’s order. ( ) two sent me a link to I’m a little jealous, they ordered a bigger TV. If Samsung sent me a link to view someone else’s order, then surely that guy can also see my order. Enumerable Tracking IDs This was already rather disappointing. All someone needs is the tracking URL that Samsung sent me, and they can see a lot of my order details (and someone else’s order details). In some cases, applications use secret URLs for sensitive functions (ie. password reset URLs delivered via email.) This is not one of those cases. My tracking URL was surely delivered to someone else with the same ID — it has already lost any notion of secrecy. Even if someone else hadn’t received the same tracking URL, this link still cannot be considered secret. Notice the only special part about the link is a relatively low integer (1138977). That, coupled with the fact that Samsung told me that the shipper “ makes it obvious that these IDs are sequentially assigned. recycles their tracking numbers every year” All it takes is knowledge of tracking URL and you can walk through all of the tracking IDs sequentially. With about five minutes of scripting, someone could scrape the data of every Samsung shipment, yielding: one Orderer’s Last Name Orderer’s City Item Ordered Order Number Exploiting The Data Let’s think about how dangerous it is just to leak these four pieces of information to someone with malicious intent. Since we have a last name and city, a quick internet search would yield possible phone numbers for the orderer. Once we have a list of potential phone numbers, we put on our social engineering hat and call each one. Hello, this is Bob from Samsung. Can I please speak with Mr. regarding his recent order for a . Metzger 60" Samsung TV If they say they didn’t order anything, hang up and move on to the next phone number. If it sounds like like they know what we’re talking about, give a little more information so they know this call is legit. Just to make sure I'm looking at the right order - would you mind confirming that your order number is ? 1138977 We have our and we’ve made it clear that we are legitimately calling from Samsung (surely a scammer wouldn’t know their order number and what they ordered?) foot in the door It’s time to exploit this trust and extract payment details with an offer that can’t be passed up. **-> If they ordered a small tv:**We're sorry for the inconvenience - there has been an accident at our shipper's facility, damaging an entire shipment of . It will be approximately two weeks before we have more of this model in stock. As a consolation, we would like to offer you an upgrade to a 65" TV - which we currently have in stock - for $49. 50" TVs We're sorry for the inconvenience - due to a glitch in our online store, our promotional warranty prices weren't showing for your model when you made your purchase. Your model is eligible for a 3 Year Accidental Damage Plan for only $29. -> If they ordered a large tv: Great! Sorry again about the inconvenience. We'll just need your payment information again - we don't keep records of it when you order because PCI compliance. -> If they took the bait: You get the idea — it’s seriously easy to turn these four pieces of information into a rather convincing social engineering attack. The Leak Gets Bigger After my TV was delivered, I went back to check the tracking status — hoping that this was just a ephemeral leak while the shipment was en route, disappearing after I received the delivery. I found the exact opposite. Not only was the order information still there — but now there was a link to a TIFF file too. Hmm… they added a link to a TIFF file… That TIFF file turned out to be a scanned copy of the waybill for the delivery. signed Oh wow, there’s even more information about me. They were already leaking enough information for a social engineering attack — now they’re leaking even more pieces. My Name Full My Address Full My Signature (well, actually my wife’s) Visibility All of this information was obtained directly from a link that Samsung sent to me— but you don’t to buy something from Samsung to find a link to the tracking system. It turns out Google has already indexed some queries for airway bills. have Note: This method of finding tracking links is much cheaper than buying a TV and waiting for it to ship Even if the shipping company gets these removed from Google, it’s still not too difficult to find these items. They have to search for tracking numbers. a form This convenient The form makes it obvious this should be a seven digit number. Starting with takes us to familiar search results: 0000001 At this point, there is no question about it — information in this system is secret. Links are sent directly to consumers, links are indexed in google, and there is an open form on the website for performing searches. not Samsung’s Response I didn’t like the fact that all of this information was freely available to anyone willing to spend a couple minutes to scrape data, so I responded back to Samsung again. I informed them that my personal information was being shared via their shipper’s website. I included descriptions of each piece of information, with direct links to it. I also informed them that the data was easily enumerable because it uses sequential IDs — and I requested that they loop in their information team. security Two weeks later, I received a response from Samsung: I understand you would like this forward to our security team. Your request will need to be taken up with AGS. You will need to remove your information through AGS. We apologize for any inconveniences that may have impacted your experience with Samsung. We at Samsung appreciate your business, and we sincerely hope that this situation doesn’t deter you from continuing to purchase products of the Samsung brand. That’s it. Samsung says I need to take it up with their shipper. That is not going to happen. I entrusted with my data, and that is who I hold solely responsible for safeguarding it. If Samsung’s business partner is leaking that information, Samsung needs to remedy the situation. Samsung As I was writing this up, I was going to redact some of my information (or at least my wife’s signature) but it wouldn’t make much of a difference. Four months after I disclosed this to Samsung, the information is there for anyone to retrieve. Please don’t try to sell me a warranty for my tv. still