Alex Yancey

A cheeky audit of smart package lockers

Blurred collage of photo data collected during testing

Blurred collage of photo data collected during testing

In my apartment complex, we use Parcel Pending (a product of Quadient) smart lockers. Basically, the courier inputs a code on the locker, selects the recipient, and puts the package in the locker. The tenant gets a code sent to their phone which unlocks the locker. It's pretty much a no-brainer for the managers since it makes their life easier and reduces trips to the elevator to deliver packages individually.

When I logged onto the member portal, I noticed there was a "View Pickup Picture" link, and sure enough, there was a picture of me picking up my package. There is no notification to the user that a picture has been taken.

Photo of me picking up a package

Photo of me picking up a package

When you click the link, the browser POSTs to https://my.parcelpending.com/parcel-history/getpickupimage with a parcel ID and locker ID. It returns a signed S3 URL. Surely it validates that you can only view pickup images for parcels destined for you, right?

After a bit of poking around, you might be surprised (or not surprised) to find out the answer to this is no. By incrementing the parcel ID I was able to download hundreds of pictures of random people picking up their packages.

URL format: https://ppkiosk.s3.us-west-1.amazonaws.com/company/<COMPANY_ID>/<LOCATION_ID?>/parcel_pickup/<PARCEL_ID>.jpeg. By enumerating through the pickup images, you could gain pretty good insight into exactly how many customers Parcel Pending has, and how many locations they have. You could, for example, find all the images associated with one particular building.

Incident was acknowledged by Quadient's bug bounty contact and resolved.