Google Dorks - A Tracker

Summary :

In a simple language “Google Dorks” is just a simple technique which can be used on google search engine to find security holes and sensitive information that is not easily available on a website. It is one of the most effective technique to find sensitive information of any website. Using “Google Dorks” you can find information that is not intended for public viewing but that has not been adequately protected.

Description :

I found this vulnerability on a VDP, I contacted them but there was no response and the vulnerability still exists. I bought something online and received a parcel from this delivery company. I got the mail of my tracking ID with some other information, so I used the google dork and found this company’s page where you can enter your tracking ID and you will get the details. So at first I entered my tracking ID and I got the details but one thing that took my attention was, I did not login in to my account and still I was able to fetch my details. I ordered something else using my another email and I got the tracking ID and some other details and again I was able to fetch the details without login. So I tried some other user’s tracking ID and I was able to see all the details.

This is one of the easiest vulnerability I have found so far. I used only one dork to find this vulnerability and rest of the thing was done due to lack of authentication and authorization.

NOTE : You just need your tracking number or you should know what is the pattern of the tracking number so that you can manipulate it and get information of other users.

Difference between Order ID and Tracking ID :

Order ID is that identification number using which one can identify what product you bought on a particular website. (eg. You bought a phone on amazon.com and your Order ID is 1234 ).

Tracking ID is that identification number using which one can track his/her order (eg. Your order has been shipped and your Tracking ID is 5678). Tracking ID is also referred as AWB (Airway Bill Number). Airway Bill is a receipt issued by an international airline for goods and an evidence of the contract of carriage. When this receipt is issued, your tracking id is generated.

Both the things order id and tracking id at some point will help you to reveal the user details.

How I found this vulnerability ?

1. On google, I used the dork intext:<CompanyName> “Tracking ID”

Google Dork - Google Search

2. Then I opened first link

My Target

3. I entered my tracking ID and clicked on the track button

My Tracking ID

My Tracking Details

4. Then I noticed there was an option to check travel history and shipment facts of the package, I clicked on it and got much more details

My Package’s Travel History

My Package’s Shipment Facts

5. After reviewing my details, I entered another person’s tracking ID and got the details

Someone else’s Package Tracking Detail

Someone else’s Package Travel History

6. Then again I entered some other user’s tracking ID and got the details, but this time I was asked that “Want to know when your package will arrive ?” and a signup option was popped up.

Someone else’s Tracking Detail

Someone else’s Tracking History

Someone else’s Shipment Facts

7. I found an option to get status update on the particular package (of some other user)

Get Status Update

8. Then I started getting someone else’s package update on my email

Why it happened ?

In my opinion the main reason using which I was able to see other users tracking data was lack of authentication and authorization. There was no authorization mechanism that was identifying that this particular tracking ID belongs to me.

Dork Used :

1. intext:<CompanyName> “Tracking ID”

Some other dorks you can use :

1. intext:<CompanyName> “Order ID” | “order id” | “Order Id”
2. intext:<CompanyName> “Shipping ID” | “shipping id” | “Shipping Id”
3. intext:<CompanyName> “Shipment ID” | “shipment id” | “shipment Id”
4. intext:<CompanyName> “Order No.” | “order number” | “Order Number”
5. intext:<CompanyName> “Shipping No.” | “shipping number” | “Shipping Number”
6. intext:<CompanyName> “Shipment No.” | “shipment number” | “shipment Number”
7. intitle:<CompanyName> “Tracking No.” | “tracking number” | “Tracking Number”
8. intitle:<CompanyName> “Tracking Info.” | “tracking info” | “Tracking Information”
9. intitle:<CompanyName> “Tracking Stats” | “tracking statistics” | “Tracking Statistics”
10. inurl:<CompanyName> “Order Summary” | “order summary”
11. inurl:<CompanyName> “”Thank you for your order” +receipt
12. inurl:<CompanyName> “AWB” | “awb” | “Airway Bill Number” | “airway bill”

Impact :

Due to lack of authorization and authentication anyone can see the tracking details of any user.

Mitigation :

A website should be protected from indexing from tracking page and if tracking page should be public then it should have proper authentication and authorization at place to avoid such issues.

Example (Stop Indexing) :

User-agent: *

Disallow: /tracking

This entry will not allow anyone to view /tracking path.