While checking out Grab Parcel website, I found a link that looked a bit suspicious to me as it was from a different domain.
Grab Parcel was dependent on a 3rd party Detrack for delivery and tracking of the items. And to get the order details it required just one field, the Tracking ID. This means if I’m able to get a tracking id, I might be able to extract some sensitive PII information.
To get the tracking id, I checked out Twitter and found dozens of tracking numbers reported by customers to the Grab support. By using one of them, I was presented with a lot of juicy information about the customer. I was even able to download a PDF of the order details from that tracking Id. The PDF consisted of customer’s Mobile Number, Full Address with latitude and longitude, their image, their signature and what did they order.
To make this report critical, it was required me to brute force the tracking numbers. It took me a while as the tracking numbers were following a different pattern and spending some time over that, I was able to find hundreds of tracking ids in a few mins. Too much of sensitive data lying around.
Beware! Never share your Tracking/Order ID publicly. You never know, how much sensitive information you’re sharing in open.
I hope you liked my first blog post, another one coming soon on Zomato Account Takeover using Victim’s Facebook ID
Jul 17 - Submitted Report
Jul 17 - Response from Grab, Need More Info
Jul 17 - Submitted another PoC
Jul 17 - Triaged
Jul 18 - Fixed