UK parcel firm Yodel plugs tracking app's random yaps about where on map to snap up strangers' tat

Shipped from expensive shop X? In the shed, you say? Researcher spots badness

parcels_shutterstock_648

Parcel wrangler Yodel has caulked up a security hole in which random user data leaked to people using its Android app.

The glitch was spotted by security researcher Ax Sharma. He contacted us having failed to get any action out of Yodel when he informed the company via Twitter and web chat.

The problem is not well timed, with online shopping and related white van activity hitting its seasonal peak in the run-up to Christmas.

Sharma told us he had noticed that every time he refreshed the application, he was shown a different – apparently random – set of packages that were not destined for his address.

The glitch showed users fairly sensitive information beyond package location, including the sending retailer, the package's destination and – crucially – any special instructions for the driver.

Sharma noted that the app also allowed users access to further menu options on strangers' entries, meaning they could theoretically reschedule or cancel deliveries – or even redirect parcels to another address.

Sharma contacted Yodel on Saturday afternoon but said he was told there was "no security problem". He then blogged about the issue here.

A couple of Twitter users were also seeing other people's parcels over the past week and there are reviews on the Play store noting the security hole too.

One Twitter user said: "I have other people's deliveries on my Yodel app today too! Couldn't work out for the life of my how I had so many deliveries coming then realised they were in Dartford, Borehamwood etc when I'm in Edinburgh!"

The app was last updated on 18 November, and we cannot see reviews complaining about it leaking customer details before that date.

Yodel told The Reg last night: "Following an investigation into the issue we can confirm that it is now resolved, with the Yodel app running again as normal."

It would not elaborate on the nature of the error.

And, of course, it told us, it takes data protection... "very seriously".

Yodel garners regular gongs as the UK's least favourite courier company, although it would probably point out that it does not get much credit for delivering several hundreds of thousands of parcels a day successfully. ®

Sponsored: Beyond the Data Frontier

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019