How I Hacked Temu - Thijs's Portfolio

submited by
Style Pass
2024-12-01 06:30:02

In classic Thijs fashion, I checked my shipment's tracking every hour for updates. Bored, I tried something: I flipped a digit on my all-number tracking number. Boom, a photo of a successful delivery at another house. But this was only a tiny first vulnerability.

Soon, I would find something that led me to discover over 400,000 names and addresses from Temu shipments left out on the open Internet. Then, I'd get these secured to prevent anything from leaking to bad actors.

This isn't a regular security disclosure. As we'll discuss later, the company wasn't interested in further contact or implementing stronger security measures.

I learned a ton through this process, both about how logistics companies work and how to do ethical security research. I hope to share a lot of what I've discovered with you.

Nothing I have written in this article intends to harm PiggyShip or any party at all. In fact, I hope that PiggyShip and other couriers read this and learn how to better secure their systems and create points of contact for reporting vulnerabilities. The challenges I faced in making contact to report such a major issue shows the importance of the security.txt standard.

Leave a Comment