

I just came across an interesting feature in the Posten Sporing app of Posten Norge AS.

This app does the following (translated from the product description on Google Play):

Record tracking makes it easy to monitor packages on their way to you with the Post Office.

When you register with your mobile number and email we find automatically packages on the way to you. To achieve this, we rely on that the sender has registered your mobile number or email. We therefore constantly check if there are packages on the way to you and alert you via push when there is a new package. We will notify you when you can get it at the post office or possibly when it will be delivered to your home.

All good and well, of course. It also lets you enter a package tracking number manually. Handy of course, should you have a package coming your way that didn’t make it into the system automatically.

But… here you can also enter some totally random number like… 12345

And then it suddenly gets interesting! I see a long list of packages, none of them mine (see screenshot, which I mutilated a bit on purpose). I can track their whereabouts, and it wouldn’t surprise me if I’d get a hentekode (pickup code) in the app when the package I selected makes it to the post office and is ready for pickup.

I wonder how long it will take before less honest people will start abusing this ‘feature’…



Their website on http://sporing.posten.no/ is even worse. There I can also search by phone number. This makes it very easy for anyone to track exactly where their neighbours, colleagues & family shop, and quite often it also gives a fair idea of what’s been purchased…





Posten responded pretty quickly via Facebook:



posten me Hello. In regards to the amount of hits showing when you search using 12345, this is due to the fact that the app also uses "sender reference" to find packages, which in turn generates many hits as many senders will use similar references. Regards, Ø. But should I be able to see all these other packages? What if I add one as 'mine' in the app? Do I also get a 'hentekode' when the package is ready for pickup? Yes, as the app uses Sender Reference as a "search parameter", you will and should be able to see these. You will not be able to collect the package as it is not in your name, and will not receive a "hentekode". If you add it as "mine" in the app, you will simply be tracking someone elses package. Regards, Ø. Hmm, still not quite convinced about privacy of end-users/recipients here, but ok... Hi Evert. If you don't find our routines satisfying, you can leave a complaint using this form

Regards H. As long as Datatilsynet (the Norwegian Data Protection Authority) is happy with the routines, so am I 😉

Like this: Like Loading...

3,783 views