Leaking and shipping

Matt Metzger, who describes himself as a cybersecurity engineer, has used the Hackernoon website to publish documents showing that it may be less than safe to order Samsung products from its official store. Metzer purchased a Samsung TV set and had it shipped to his home in New York. He then received a URL to track the delivery. After following the link, he discovered there were two orders, and the other purchase was definitely someone else’s. Surprised, Metzer contacted Samsung, only to be told that the Korean giant sometimes reuses tracking numbers from previous orders instead of each time generating a unique new one. The practice in itself puts confidential data in danger, but along with the tracking number Metzer was also sent a TIFF file with his own name, delivery address and even his signature. The sensitive details like these are naturally a treasure find for cybercriminals.

According to Metzer, it would be quite easy to code a bot that would go to the online store to enter random seven-digit numbers like the ones generated for tracking. The program will likely obtain more user data this way, he said.

Online researchers have already run a test by manually entering random numbers on the website to quickly gain access to information on over 40 orders. Metzer says that a company as large as Samsung should be more careful with the handling of its customers’ sensitive data. Samsung has since admitted there is a problem and said they are working on a solution. The company put the blame on Associated Global Systems, which is responsible for shipping and has not yet issued a comment.