Blog: Vulnerability Advisory
Tracking Amazon delivery staff
TL; DR
- The Amazon delivery tracking API allows ultra-precise tracking of drivers.
- Amazon claim that customers can only track the driver for the 10 stops prior to theirs.
- This isn’t the case – one can track the driver on the entire route and all drops, including their speed on the road.
- This precise tracking appears to reveal the location of ‘safe spots’ where customers ask for parcels to be left out of sight.
- Amazon closed the report as “informational” despite being provided with evidence of the mismatch between the intended and actual functionality.
Introduction
Have you ever stood by your window waiting for a delivery because you need to head out to do something, or just out of impatience? I am very impatient, which led me to this finding. I found a strange issue with an Amazon API endpoint that temporarily appears when your package is a few stops away (the thing that gives you a slow-updating map). I created a Ruby script that polls the endpoint to track my delivery driver’s device in real-time, which was overlaid on a Google Map.
The API Endpoint
The below code example is the base request to the Amazon endpoint, which requires a tracking number and some session information, all of which are easily found by placing an order. This endpoint was initially found by intercepting my network traffic whilst impatiently looking at the Amazon-provided map.
GET /DEANSExternalPackageLocationDetailsProxy/trackingObjectId/QA***/clientName/AMZL HTTP/1.1 Host: securephotostorageservice-eu-external.amazon.co.uk Cookie: session-id=X-X-X; session-id-time=X; ubid-acbuk=X-X-X; at-acbuk=X; sess-at-acbuk=X Connection: close x-amzn-SessionId: X-X-X Accept: application/json User-Agent: AGENT
It should be noted that it is not possible to track parcels on other delivery routes unless you have their tracking number and session information. You can track deliveries on your drivers route OR You can only track your driver until your parcel is delivered.
A successful request will give you the following response:
Example Response
The response gives you plenty of information, but the key points are highlighted within the red boxes. You could just use this information to track your parcel in real-time if you needed to, however, this issue poses a much greater threat if used with malicious intentions. Let me show you.
‘Borrowing’ Amazon’s Third Eye
I polled that endpoint every 15 seconds and saved every response to a file, which was later processed and overlaid onto a Google Map, which gives a much better visual. My personalised map contains every GPS coordinate, which is arranged into an ordered route that could be viewed and investigated.
This is a snippet of my bespoke map but I will dive deeper into my map further down this post.
Google Map Example
Here you can see a summary of my route map that shows I have 1075 GPS coordinates.
Number Of GPS Coordinates
On closer inspection, you can see that the delivery driver’s portable device is being tracked as you can see the GPS points show a route inside Morrison’s Petrol Station. My guess is that they’re paying for fuel.
Morrison’s Petrol Station
This is where things start to get interesting as it raises a few points. Are Amazon delivery staff aware they are being tracked to this level (by users or Amazon)? Does Amazon track their staff like this? Does this pose a threat to Amazon’s customers?
Tracking a portable device that is held by delivery staff renders customers vulnerable to a host of attacks such as theft or social engineering attacks. I could identify who has recently received a parcel, I could intercept a delivery, or I could identify where your designated safe spot or neighbour is. I could (if I were a criminal) pay your neighbour or safe spot a visit to claim a few goodies. I should clearly state that I have not invaded any safe spots or robbed your Amazon driver… Here are a few examples.
Potential Safe Spot #1
Potential Safe Spot #2
On the surface it sounds like a minor issue with no or little impact, but seeing the above evidence changed my perspective. It makes it real and a bit creepy when you stick the GPS coordinates and delivery number to a real address. It struck me that this could also be useful in a social engineering exercise too: one could send a parcel to the target organisation and monitor how couriers are received. Are they given free realm to walk the building floors to deliver their package?
Yes, of course one could achieve similar by simply following the driver in another vehicle, but it would be rather obvious to the driver that they were being followed.
As an aside, I could also see if a driver had simply skipped my stop:
Disclosure & Amazon’s Response
I disclosed this vulnerability with plenty of resources (screenshots and my script) to Amazon via their HackerOne Vulnerability Research Program, however, it did not go as expected. I chased, chased some more, and chased a little more for the report to be closed without a final discussion. I will include a snippet of the discussion below.
Disclosure Timeline
- Initial Discovery: 5th March 2021
- Belated disclosure time as research was being conducted into the risk, impact and data analysis.
- Disclosed via HackerOne: 23rd March 2021
- First Response (Amazon): 25th March 2021
- Second Response (Amazon): 30th March 2021
- Last Response (Amazon): 5th April 2021
Conclusion
I don’t understand why Amazon made the claim about ’10 prior stops’ then failed to address it when challenged.
Such precise tracking simply isn’t necessary for customers to track their deliveries. A much lower position sampling rate would mitigate the problem.
I think everyone expects Amazon to precisely track their staff, but we didn’t expect customers to be able to do so this easily.
Whilst we are limited to only tracking the driver on the route they take to deliver a parcel to us, it wouldn’t take much to place multiple orders to multiple locations and start to build a significant picture of Amazon driver patterns of behaviour. Are they speeding through pressure to make too many drops in a day? Are they being forced to jeopardise their safety, perhaps by running across busy roads (read the Amazon FLEX story)? Are drivers struggling to take ‘comfort’ breaks or take suitable rest breaks to ensure they are alert and not excessively tired when driving?
Or are Amazon ‘all over it’ as a result of the precise tracking? We don’t know, but the data could be revealing.