Proof-of-delivery photos for many Amazon packages publicly accessible for months

CBC

January 13, 2023 at 5:00 a.m.·4 min read

Photos obtained by CBC before BNI's unsecured tracking database was made inaccessible show it was easy to see delivery photos and details. (CBC - image credit)

People who received an Amazon package delivered by the New Brunswick-based company BNI in the last few months likely had photos of their front doors accessible online, in the latest example of a type of privacy breach that cybersecurity experts know all too well.

Maxime St-Pierre, a freelance web developer, discovered that a database of BNI tracking and delivery notices — including proof-of-delivery photos, exact GPS co-ordinates and time of the delivery — were publicly accessible to anyone with a computer.

"I just stumbled on it," said St-Pierre, who was curious about the tracking software when he got his own package delivered by BNI.

Names are not included in the database, nor payment and credit card information, but some delivery photos show the shipping label, which includes names and addresses of the receiver.

BNI, also known as Brunswick News Inc., was owned by J.D. Irving Ltd. until Postmedia acquired it last year. The company delivers Amazon packages not just across New Brunswick, but in other provinces, including Ontario, Quebec, Nova Scotia and Prince Edward Island.

In a statement, Postmedia spokesperson Phyllise Gelfand said the company "was recently made aware" of the issue.

The so-called "S3 bucket" database where BNI stores all of its tracking and delivery information was misconfigured to be public, which it should have been set to private, St-Pierre said.

"We immediately shut down access to these files and within hours implemented a permanent solution. Only the individual customers can now see their delivery photos," she said.

"The images may display, at most, name and address, and perhaps identify the vendor."

Edit an URL, find a package?

The company's tracking numbers are sequential, so if someone had one tracking number, they could change a few digits and get someone else's tracking information.

With some trial and error, someone could have identified the most recent deliveries, their locations and the time the photo was taken.

With minimum software knowledge, people were able to edit the URL in a browser and find the root list of every entry in the database, St-Pierre said, which is how he found it.

He said in a secured database, access would be denied.

St-Pierre said the database service BNI is using is public by default, so he's seen this issue many times before. He said this shows how important it is to always check possible privacy breaches, and continually perform security audits.

"They're just low hanging fruit. If somebody can find them in 15 minutes, what can they find if they had, like, four, eight, 12 hours?" he said.

Tried to contact company first

St-Pierre said he stumbled on this unsecured database two months ago, and tried to contact BNI and alert them of the issue.

But his emails and calls went unanswered, and he finally on Wednesday posted the discovery online to warn people.

Within four hours, BNI took down the tracking website.

Gelfand said the company is still looking into how long this has been an issue.

"As you know, Postmedia acquired the business in March 2022 and is currently rolling the acquired platforms into our audited security practice," she said.

She said if customers have concerns, they can contact Postmedia's privacy officer.

St-Pierre said he is glad the company made the changes quickly.

"I've seen companies that do not take actions for weeks and weeks … But in this case got to give them credit where credit is due."

Effect on customers can't be easily known

Cybersecurity expert David Shipley said these types of database breaches are very common, and this is not even close to the worst instance.

In 2019, Capital One Financial's database was breached because of an improperly secured S3 database.

Shipley said it's difficult to say exactly what impact BNI's unsecured database could have on customers, because he doesn't know if the database was in fact accessed by anyone with nefarious intent.

"Were people actually affected or was the door just left wide open?" he said.

He said there are logs that could show irregular activity and help answer that question.

The fact that payment information and the details of package contents were not in the database is good news, he said.

The Daily Beast
‘The View’s’ Ana Navarro Uses Nude Melania Trump Photo to Defend Kamala Harris
Ana Navarro, a long-time co-host of The View, posted on her Instagram Thursday an old photo of nude Melania Trump as a way to troll her husband’s supporters, saying: “You wanna go low? ... I’ll happily go 20,000 leagues under the sea.”It was a picture from 2000 featured in British GQ, five years before Donald Trump married her.Navarro also included a picture of both Trumps partying with Jeffrey Epstein and Ghislaine Maxwell, also from 2000. Her explanation for posting these images was that it wa
The Daily Beast
FBI Is Not Fully Convinced Trump Was Struck by a Bullet
FBI Director Christopher Wray revealed during a marathon testimony on Wednesday that investigators still do not know if former President Donald Trump was grazed by a bullet or a piece of shrapnel during his attempted assassination.Twice during the hours-long session, Wray told lawmakers that the FBI was still working to determine what exactly struck the former president on his right ear during a rally in Butler, Pennsylvania. “My understanding is that either it [a bullet] or some shrapnel is wha
Good Housekeeping
Céline Dion Fans Won't Believe How Much She’s Getting Paid by the Olympics
Céline Dion and Lady Gaga are performing a duet at the 2024 Paris Olympics opening ceremony. Here's how much they are reportedly being paid for one song.
The Daily Beast
Donald Trump Seen in Public Without Ear Bandage
Donald Trump ditched his ear bandage for his meeting with Israeli Prime Minister Benjamin Netanyahu on Friday. The former president’s right ear returned to public life after being injured during the assassination attempt on the former president on July 13.The former president’s large bandage became an impromptu fashion statement during the Republican National Convention with some attendees donning DIY wound dressings. Following the convention, Trump swapped out his bulky white gauze for a thin n
BuzzFeed
Kamala Harris' Press Release About Donald Trump's Fox News Appearance Is Going Viral
"Something about the question mark after 'old and quite weird' is taking me out."
Rolling Stone
Harris Taunts Trump After He Backs Out of Debates
“What happened to ‘any time, any place’?”
Miami Herald
Ana Navarro just posted a racy throwback pic of Melania — and the Internet has opinions
The GQ spread appeared in 2000
HuffPost
Stephen Colbert Taunts Trump With Absolutely Brutal Reminder About Melania
The "Late Show" host mocked the former president over one curious claim.
The Daily Beast
Harris Campaign Trolls ‘78-Year-Old Criminal’ Donald Trump After Fox News Appearance
Kamala Harris’ campaign trolled Donald Trump after his appearance on Fox News Thursday morning with a statement attacking his age and criminal conviction.The Republican gave his two-cents to Fox & Friends on a range of issues over the course of a roughly 30-minute interview, variously describing President Joe Biden as a “problemmed man” and slamming Harris as “real garbage.” Harris for President quickly hit back, releasing a: “Statement on a 78-Year-Old Criminal’s Fox News Appearance.”“After wat
HuffPost
Trump Responds To Claims He's 'Cognitively Challenged' In Bafflingly Weird Way
The former president brought it up twice during a rally in North Carolina.
HuffPost
Alexandria Ocasio-Cortez Puts Elon Musk In His Place With Perfectly Patronizing Reminder
The New York legislator only needed a tweet to shut down the tech billionaire.
Hello!
Prince Harry reveals real reason he won't let Meghan Markle return to the UK
Prince Harry has revealed the terrifying reason he won't bring his wife the Duchess of Sussex, to the UK, in a shocking new interview. Find out more here...
HuffPost
Donald Trump's Critics Actually Agree With His Latest Wild ‘Instruction’
The GOP nominee's comment on Fox News prompted no end of snarky replies.
Popular Mechanics
A 2,000-Year-Old Sarcophagus Was Just Unsealed—and the Mummy Inside is Mind-Blowing
Experts working in the Tomb of Cerberus in Naples unsealed a 2,000-year-old sarcophagus—and the mummy inside was shockingly well-preserved.
Hello!
Selena Gomez jumps on the yellow swimsuit trend in romantic snap with Benny Blanco
The Only Murders in The Building star shared a series of stylish vacation snaps on Instagram
Hello!
Rita Ora just styled bedazzled latex lingerie with sheer tights
Rita Ora just made a case for latex lingerie while performing to 50 thousand people. See photos
People
Mick Jagger's Girlfriend Melanie Hamrick, Bandmates Mark His 81st Birthday with Touching Tributes: 'We Love You'
Melanie Hamrick, Ronnie Wood, Keith Richards and more toasted the rock icon with Instagram tributes on Friday, July 26
Yahoo News Canada
Jasper National Park engulfed in flames: Shocking before and after photos show famous Maligne Lodge burning as Alberta wildfire spreads
Canadians are sharing before and after images of Maligne Lodge at Jasper National Park in Alberta after wildfires engulfed the region.
People
Christina Hall Claims Estranged Husband Josh 'Took Items' from Home, Turned On Security Cameras After Split
The HGTV star alleges that Josh made an unscheduled visit to their Newport Beach home after filing for divorce in a legal filing obtained by PEOPLE
The Independent
Trump campaign finally reveals why ex president continues to profess love for Hannibal Lecter in speeches
Suggestions have ranged from the former president confusing the meaning of the word ‘asylum’ when talking about migrants to simple jokes

Latest Stories