I have some weird hobbies, and one of those is opening up the network tab on just about anything I'm using. Sometimes, I find egregious problems. Usually, this is something that can be fixed, when responsibly reported. But over time, I learned a bitter lesson: sometimes, you can't get it fixed.
Recently, I was waiting for a time-sensitive delivery of medication. It used a courier company which focused on just delivering prescription medications. I opened up the tracking page on my computer, and saw the information I wanted: the medication would probably arrive around 6 PM.
But... what if there's more? And what are they doing with my data? Can anyone else see it?
So I peeked at the network tools, and was disappointed by what I saw. The first time this happened, I was surprised. By now, I expect to see this. And what I saw was every customer's address along the delivery route. I also saw how much the courier would get paid per stop, what their hourly rate was, and the driver's GPS coordinates (though these were sometimes missing).
After the package was delivered, the tracking page changed and displayed a feedback form, my signature, and a picture of my porch. The JSON payload no longer included the entire route, but it included my address, and the payload from an easily guessable related endpoint did still contain the entire route. And that route? It included other recipients' ids, which can be used to find their home addresses, names, contents of the package (sometimes), a photo of their porch, and a copy of their signature.
Um. This is bad, right?
I've actually found approximately this vulnerability in two separate couriers' tracking pages (and they're using different software). One of them was even worse for them, it included their Stripe private key, I suppose as a bug bounty for people without ethics. And each time I find it, I try to report it.
And I fail. They don't let me report it.
These companies don't list security contacts. The staff I can find on LinkedIn or their website don't have email addresses that I can find or guess. Mail sent to the addresses I do find listed has all bounced.
I tried going through back channels. I messaged the pharmacy which was using this courier. I talked to my prescriber, who was shocked at this issue. And the next time I got a delivery, it came via UPS instead (they do not have a leaky sieve for a tracking page, but they did "lose" my prescription once).
But I don't know if they just did that for me, the miscreant who looks at her network tools? Or did they switch everyone over to a different courier? Either way, at least my data was safe now, right?
It was, until I started using a different pharmacy, and this one is back to using the leaky couriers again. Sigh.
I got pretty upset about this at one point. There's a security issue! Data is being leaked, I must get this fixed! And someone told me something really wise: "it's not your responsibility to fix this, and you've done everything you can (and more than you had to)."
And ultimately, she was right. I was getting myself worked up about it, but it's not my responsibility to fix. Sometimes there will be things like this that are bad, that I cannot fix, and that I have to accept.
So, where do I go from here? I could probably publicly name-and-shame the couriers, but it would not do anything productive. It would not get their attention to fix it, and it wouldn't be seen by the folks who need to know (pharmacists and prescribers). So I'm not going to disclose the specific company, because the main thing it would do is risk me getting in legal trouble, for dubious benefit. I've already notified the pharmacists and prescribers that I know; it's on them, if they want to let anyone else know.
If you're looking for help on a software project, please consider working with me!