Remember Olestra? Time named it one of the worst inventions ever. It introduced us to the phrase ‘anal leakage’ and ‘reduced anal leakage’.
Well, today I’m checking on the shipping progress of Bike v3. Yes, a new e-bike is ordered.
And you get a very simple URL:
https://dayross.com/track/shipment/history?probill=VAN3204252#
Looks to me like that is a counter. Lets try changing it:
https://dayross.com/track/shipment/history?probill=VAN3204253
Yup, story checks out. There is a set of bikes they shipped on this day, and the cities they shipped to. You can also see from the weight what model it is. So we can see they shipped 6 bikes on Aug 21, 2018, and we know the product mix.
Now, lets say this was a public company. And we wanted to see how the quarter was going. Interesting. This is a lot of information to leak. You could improve it by making the shipping numbers non-sequential (UUID maybe). People have to be able to read them over the phone and type them, so maybe not. Or you could ask for confirmation of ship-to city before showing. Or you could make it tedious (add a captcha).
Leave a Reply