Proof-of-delivery photos for many Amazon packages publicly accessible for months

Photos obtained by CBC before BNI's unsecured tracking database was made inaccessible show it was easy to see delivery photos and details.  (CBC - image credit)
Photos obtained by CBC before BNI's unsecured tracking database was made inaccessible show it was easy to see delivery photos and details. (CBC - image credit)

People who received an Amazon package delivered by the New Brunswick-based company BNI in the last few months likely had photos of their front doors accessible online, in the latest example of a type of privacy breach that cybersecurity experts know all too well.

Maxime St-Pierre, a freelance web developer, discovered that a database of BNI tracking and delivery notices — including proof-of-delivery photos, exact GPS co-ordinates and time of the delivery — were publicly accessible to anyone with a computer.

"I just stumbled on it," said St-Pierre, who was curious about the tracking software when he got his own package delivered by BNI.

Names are not included in the database, nor payment and credit card information, but some delivery photos show the shipping label, which includes names and addresses of the receiver.

BNI, also known as Brunswick News Inc., was owned by J.D. Irving Ltd. until Postmedia acquired it last year. The company delivers Amazon packages not just across New Brunswick, but in other provinces, including Ontario, Quebec, Nova Scotia and Prince Edward Island.

In a statement, Postmedia spokesperson Phyllise Gelfand said the company "was recently made aware" of the issue.

The so-called "S3 bucket" database where BNI stores all of its tracking and delivery information was misconfigured to be public, which it should have been set to private, St-Pierre said.

Evan Mitsui/CBC
Evan Mitsui/CBC

"We immediately shut down access to these files and within hours implemented a permanent solution. Only the individual customers can now see their delivery photos," she said.

"The images may display, at most, name and address, and perhaps identify the vendor."

Edit an URL, find a package?

The company's tracking numbers are sequential, so if someone had one tracking number, they could change a few digits and get someone else's tracking information.

With some trial and error, someone could have identified the most recent deliveries, their locations and the time the photo was taken.

With minimum software knowledge, people were able to edit the URL in a browser and find the root list of every entry in the database, St-Pierre said, which is how he found it.

He said in a secured database, access would be denied.

St-Pierre said the database service BNI is using is public by default, so he's seen this issue many times before. He said this shows how important it is to always check possible privacy breaches, and continually perform security audits.

"They're just low hanging fruit. If somebody can find them in 15 minutes, what can they find if they had, like, four, eight, 12 hours?" he said.

Tried to contact company first

St-Pierre said he stumbled on this unsecured database two months ago, and tried to contact BNI and alert them of the issue.

But his emails and calls went unanswered, and he finally on Wednesday posted the discovery online to warn people.

Within four hours, BNI took down the tracking website.

Gelfand said the company is still looking into how long this has been an issue.

"As you know, Postmedia acquired the business in March 2022 and is currently rolling the acquired platforms into our audited security practice," she said.

She said if customers have concerns, they can contact Postmedia's privacy officer.

St-Pierre said he is glad the company made the changes quickly.

"I've seen companies that do not take actions for weeks and weeks … But in this case got to give them credit where credit is due."

Effect on customers can't be easily known

Cybersecurity expert David Shipley said these types of database breaches are very common, and this is not even close to the worst instance.

In 2019, Capital One Financial's database was breached because of an improperly secured S3 database.

Jennifer Sweet/CBC
Jennifer Sweet/CBC

Shipley said it's difficult to say exactly what impact BNI's unsecured database could have on customers, because he doesn't know if the database was in fact accessed by anyone with nefarious intent.

"Were people actually affected or was the door just left wide open?" he said.

He said there are logs that could show irregular activity and help answer that question.

The fact that payment information and the details of package contents were not in the database is good news, he said.