A cheeky audit of smart package lockers
In my apartment complex, we use Parcel Pending (a product of Quadient) smart lockers. Basically, the courier inputs a code on the locker, selects the recipient, and puts the package in the locker. The tenant gets a code sent to their phone which unlocks the locker. It's pretty much a no-brainer for the managers since it makes their life easier and reduces trips to the elevator to deliver packages individually.
When I logged onto the member portal, I noticed there was a "View Pickup Picture" link, and sure enough, there was a picture of me picking up my package. There is no notification to the user that a picture has been taken.
When you click the link, the browser POSTs to
https://my.parcelpending.com/parcel-history/getpickupimage with a parcel ID and locker ID. It returns a signed S3 URL. Surely it validates that you can only view pickup images for parcels destined for you, right?
After a bit of poking around, you might be surprised (or not surprised) to find out the answer to this is no. By incrementing the parcel ID I was able to download hundreds of pictures of random people picking up their packages.
https://ppkiosk.s3.us-west-1.amazonaws.com/company/<COMPANY_ID>/<LOCATION_ID?>/parcel_pickup/<PARCEL_ID>.jpeg. By enumerating through the pickup images, you could gain pretty good insight into exactly how many customers Parcel Pending has, and how many locations they have. You could, for example, find all the images associated with one particular building.
This isn't a crazy exploit or anything, but as a customer of this product, I don't like that anyone in the world could be looking at pictures of me picking up my Amazon packages. I attempted to contact Quadient, but so far haven't gotten a response from them.
- 2021-09-24 - Attempted contact with Quadient
- 2021-10-14 - Attempted contact with Quadient