Leaking PII of Apple pre-order customers

Hihi!

N.B. Consent was received from Apple to disclose this bug. No data is disclosed in the article, and to respect privacy the couriers name is redacted.

Today I'm writing about a very simple chain of bugs I found in the tracking site of the courier that delivers UK Apple preorders, that lead to the disclosure of the name and address of everyone who preordered an iPhone X (and theoretically previous Apple products) in the UK.

TL;DR

The tracking website of the carrier Apple use for device pre-orders in the UK disclosed the name, address and order number of recepients in an invisible text field, and the tracking numbers were sequential. Because of this, it would've been trivial to harvest the PII of thousands of Apple customers.

Finding the bug

My discovery process started when I got an email from Apple telling me my iPhone was dispatched and would be delivered by a carrier whose name I wasn't familiar with. I order a lot of stuff online in the UK and had never heard of them before, so I was particularly intrigued.

I opened the tracking and was greeted with this page:

My iPhone X tracking history // Courier Tracking Page

I-I-It's not like I was hunting for bugs here (baka!), but curious about the tracking page, I opened "View source" and saw something straight away that concerned me:


Source of my iPhone X tracking history // Courier Tracking Page

My name and address were in the source but display: none;'d - also that it was an Apple order. My immediate thought was to see if the tracking numbers were random or sequential. So my ID plus 1 yields:


Source of my iPhone X shipment neighbour's tracking history // Courier Tracking Page

Yikes! I did it once more and determined it was likely sequential, and decided it would be a good time to stop and send it in.

Disclosure Timeline

  • 2017-11-02: Vulnerability details disclosed to Apple Product Security
  • 2017-11-02: Additional clarification requested and provided
  • 2017-11-02: Vulnerability triaged and escalated
  • 2017-11-13: Got in contact with a Security Manager at the courier and confirmed
  • 2017-11-14: Confirmation of fix provided by the courier
  • 2017-11-14: Request for public disclosure sent to Apple and the courier
  • 2017-12-31: I forgot about the writeup, wrote the draft and sent in the requested drafts to Apple
  • 2018-01-16: Greenlight from Apple ProdSec on the article
  • 2018-01-19: Greenlight from the courier

Once I got in touch with the courier directly they resolved this near immediately and took this very seriously. The whole process was very smooth and I'm very happy with the efforts of Apple and the carrier to get this fixed. ☺️

Thanks for reading "not the same origin" - my new blog. I'll hopefully be posting a mix of things here, but I'll mainly be focusing on "Steps to Reproduce", writeups of the more interesting/impactful vulnerabilities I've disclosed. These posts are written in a similar style to how I write up the reports I send to teams; if you have any feedback please let me know.