![\"\"](\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2021\/12\/Pick-n-Pay-Dawn-Wing-security-vulnerability.jpg\")
<\/a>Redacted screenshot illustrating a privacy flaw in the Pick n Pay \/ Dawn Wing delivery tracking site<\/p><\/div>\n
\n
Several Pick n Pay customers who used the company’s delivery service have had their data exposed online, a tip from a MyBroadband reader has revealed.<\/p>\n
Customer delivery information for Pick n Pay’s online shopping service was available on a tracking website for courier Dawn Wing to anyone on the Internet who knew where to look.<\/p>\n
The site exposed people’s names and addresses, and included photos of their orders taken by couriers to prove that they had delivered the items.<\/p>\n
Order tracking pages also included photos of the driver and the driver’s vehicle, together with their licence plate number.<\/p>\n
This data was exposed because Dawn Wing and Pick n Pay used sequential order numbers in the URL to allow customers to track their deliveries.<\/p>\n
They then failed to require a login to access this data.<\/p>\n
Anyone who knew the format of the tracking URL could add or subtract 1 from their order number to view the details of someone else’s order.<\/p>\n
If you remove the tracking ID from the URL, the site directs you to a login form, but this authentication system did not protect the actual tracking data.<\/p>\n
MyBroadband contacted Pick n Pay and Dawn Wing to notify the companies of the data leak and requested comment.<\/p>\n
Neither had responded at the time of writing, but the issue appears to be resolved. Visiting an order tracking link now takes you to a blank page.<\/p>\n
<\/a>Redacted screenshot illustrating a privacy flaw in the Pick n Pay \/ Dawn Wing delivery tracking site<\/p><\/div>\n
The personal data of Pick n Pay customers who used the company’s delivery service has been exposed online.<\/p>\n","protected":false},"author":341039,"featured_media":373113,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[50043,35,5380],"class_list":["post-428332","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-data-leak","tag-headline","tag-pick-n-pay"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/428332"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341039"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=428332"}],"version-history":[{"count":2,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/428332\/revisions"}],"predecessor-version":[{"id":428454,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/428332\/revisions\/428454"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/373113"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=428332"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=428332"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=428332"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}