Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s servers on startup
Vendor: ParcelTrack Vendor URL: https://www.parceltrack.de/ Versions affected: ParcelTrack Android Version 3.3, ParcelTrack iOS Version 3.3 Author: Dan Hastings – dan.hastings[at]nccgroup[dot]com
Upon start of the ParcelTrack application any data contained on the global pasteboard (iOS) or clipboard (Android) will be sent to Parcel Track’s servers.
Sensitive PII such as credit card numbers and passwords often live on the global pasteboard. If any sensitive data is contained on the pasteboard when a user starts the ParcelTrack app this data would sent to ParcelTrack’s servers.
On start of the ParcelTrack application the app will grab any data contained on the global pasteboard/clipboard and send it in an HTTP GET request to ParcelTrack’s server.
https://parceltrack.de/api/v3/couriers/async?user_id=redacted device_id=redacted break_on_user_parcel=1 q=sensitiveclipboarddataRedacted source=clipboard
Consider not sending any pasteboard to ParcelTrack’s servers. If the pasteboard is needed, then provide users with the ability to deny the ParcelTrack app access to data on their clipboard. If clipboard access is granted, implement functionality that determines what type of carrier is contained on the pasteboard on the device before sending to ParcelTrack’s servers.
Upgrade to the latest version of ParcelTrack, which contains the fixes for this vulnerability:
- Android: ParcelTrack 3.4 or higher
- iOS: ParcelTrack 3.4 or higher
2020-02-12: NCC Group emailed ParcelTrack to initiate vulnerability disclosure process
2020-03-12: ParcelTrack acknowledges NCC Group’s email
2020-09-12: ParcelTrack communicates intention to patch the vulnerability
2020-14-12: ParcelTrack publishes patch for Android (version 3.4)
2020-31-12: ParcelTrack publishes patch for iOS (version 3.4)
2021-30-03: NCC Group advisory released
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published Date: March 30 2021
Written by: Dan Hastings