Skip to navigation Skip to main content Skip to footer

Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s servers on startup

30 March 2021

By Dan Hastings

Vendor: ParcelTrack
Vendor URL: https://www.parceltrack.de/
Versions affected: ParcelTrack Android Version 3.3, ParcelTrack iOS Version 3.3
Author: Dan Hastings – dan.hastings[at]nccgroup[dot]com

Summary

Upon start of the ParcelTrack application any data contained on the global pasteboard (iOS) or clipboard (Android) will be sent to Parcel Track’s servers.

Impact

Sensitive PII such as credit card numbers and passwords often live on the global pasteboard. If any sensitive data is contained on the pasteboard when a user starts the ParcelTrack app this data would sent to ParcelTrack’s servers.

Details

On start of the ParcelTrack application the app will grab any data contained on the global pasteboard/clipboard and send it in an HTTP GET request to ParcelTrack’s server.

Example Request:

https://parceltrack.de/api/v3/couriers/async?user_id=redacted device_id=redacted break_on_user_parcel=1 q=sensitiveclipboarddataRedacted source=clipboard

Vendor Recommendation

Consider not sending any pasteboard to ParcelTrack’s servers. If the pasteboard is needed, then provide users with the ability to deny the ParcelTrack app access to data on their clipboard. If clipboard access is granted, implement functionality that determines what type of carrier is contained on the pasteboard on the device before sending to ParcelTrack’s servers.

User Recommendation

Upgrade to the latest version of ParcelTrack, which contains the fixes for this vulnerability:

  • Android: ParcelTrack 3.4 or higher
  • iOS: ParcelTrack 3.4 or higher

Vendor Communication

2020-02-12: NCC Group emailed ParcelTrack to initiate vulnerability disclosure process
2020-03-12: ParcelTrack acknowledges NCC Group’s email
2020-09-12: ParcelTrack communicates intention to patch the vulnerability
2020-14-12: ParcelTrack publishes patch for Android (version 3.4)
2020-31-12: ParcelTrack publishes patch for iOS (version 3.4)
2021-30-03: NCC Group advisory released

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published Date: March 30 2021

Written by: Dan Hastings