Security issues with Bpost’s parcel tracking website
A VRT News investigation has uncovered security and privacy issues with the website of the Belgian post office Bpost. Users of the site were not only able to look up the details of a parcel that was on its way to them or their recipient, but also the details of parcels destined for some other recipients. The details given include a code required to pick up the parcel from a Post Point or a Bpost parcel collection machine. Bpost has since corrected the security breach.
Whenever you send or are being sent a parcel via the Belgian post office Bpost you are given a tracking and tracing code. The code enables you to track the parcel on Bpost's website. The code should be strictly personal and specific to a one parcel. However, an IT professional that contacted VRT News discovered by chance that he was able to access the details of numerous parcels that were not destined for him.
By using the search function on Bpost’s track and trace website he was able not only to find name of the parcel’s recipient, but also the place where the parcel would be delivered and the unique code number to be used when collecting it from a Post Point or from a parcel collection machine. It is important to mention that the details of not every parcel in the system could be accessed, but rather a limited number of parcels that had mainly been sent by private individuals.
However, this not only constitutes an infringement of privacy laws, but also makes it possible to go and collect a parcel that was destined for someone else. It is a busy period for postal and parcel services in many countries, including Belgium. Pressure of work means that staff in Post Points (shops that offer some postal services, including parcel collection) sometimes don’t ask people to show them their identity card when they go and collect a parcel. The Bpost code is sufficient as is the case when going to collect a parcel from a parcel collection machine.
VRT News put it to the test
On the Bpost website VRT News found the details of a parcel that was to be delivered to a woman called Saartje. We called Saartje and asked her permission for us to try and collect her parcel using nothing more than the information we had found on the website. She agreed and we were able to collect the parcel from a Post Point. We then took it to its rightful recipient.
In the meantime, Bpost has resolved the security issue with its website. A post office spokesperson told VRT News that it is now only possible to look up the tracking and tracing details of a parcel using the unique barcode number.