Notices by Mike Sheward (secureowl@infosec.exchange)

UPS delivery today - photo taken - no hits on the canary, which means Amazon still remains the only deliverer to have triggered it

Experiment update

Amazon are 2/2 for hitting the QR canary token - same CDN, same non-phone user agent each time. Seems to happen async after the delivery, maybe 20 mins or so later.

Actual delivery photo from today below.

Only other test subject so far is Fedex, they did not trigger the QR.

#infosec

Update on my QR porch ornament experiment.

There have now been 4 Amazon proof of delivery images containing the code.

The first two, reliably hit the canary token within 20-40 minutes of the delivery, from a non-phone QR code. Definitely some sort of automated process.

The third one, did hit the QR, but it was because the delivery person took it upon themselves to scan the QR code with their phone to see what it did - user agent confirmed that. There were no programatic hits like the first two.

Fourth one, in the picture, but no hit registered.

UPS/FedEx/USPS - not even as much as a flicker of a GET request to my canary.

Bonus points, while driving I exposed my QR code to a couple of Flock cameras, but alas they didn't do anything.

Next step will be a new QR code, one that points to a different domain, because the next thing to check is - did they start blocking the requests to Canarytoken dot org from whatever process was ingesting the images - because that is what it seems like.

delivery person today put package actually on top of the QR code so it wasn’t in the POD photo

they paid a ransom to criminals with nothing but a pinky promise they wouldn’t do more crimes and yet this linkedin notification makes it sound like they entered into a strategic partnership to deliver value for their customers

“Hi, my name’s David, I’m one of the repair techs here, I’v been looking after your broken soldering iron today.”

“How’s he doing.”

“Take a seat.”

“Oh no.”

“Unfortunately, and there is no easy way to say this, we looked at your Iron, and, well, we found something.”

“Please, just give it to me straight.”

“Ok, well we found, and I’m so sorry, we found, firmware.”

“It has firmware?”

“Yes.”

“But it’s a soldering iron?”

“Yes.”

“So there is nothing you can do for it?”

“Unfortunately, when a tool has firmware, it’s always fatal. There is nothing we can do. I am very sorry.”

“But, it’s so young. I only got it like a month or so ago?”

“Sadly, we often see firmware on younger tools.”

“But it was fine yesterday, like totally fine?!”

“With any kind of firmware, it can just, you know, stop working.”

“What am I gonna tell the kids?!”

“Obviously you know your kids better than me, but as a general rule, I always tell people that kids appreciate honesty, and are more resilient than you might think. Be honest.”

“But how?”

“Just tell them, you were drawn in by the features, rather than just a functional thing, so that’s why you got it.”

“Ah man this is going to be rough.”

“Would you like to see him?”

“Not like this.”

#microfiction

For fans of @acarsdrama - it is now regularly receiving and churning through 250,000 raw messages an hour from the skies around the globe. That is insane.

when people say “america 250” they are actually talking about the number of fellas who own the place

trying a new thing, have 3D printed a QR code and put it on the front porch

QR code triggers a canary token

want to see if any of the delivery companies are using the drop off proof of delivery pics to train AI

#infosec

Whelp, sample size of 1 so far, but about 50 minutes after an amazon delivery - where a picture was taken - got a hit on the canary

i just checked the delivery photo and the QR code was visible in it

User agent was not a phone and clearly some sort of crawler

IP address was a CDN

but we are 1/1, lets see how it goes with a few more

(i get a lot of random work deliveries)

side note: i made up an account deletion process that included the deleteduser.com thing for emails and asked ChatGPT if it was cool.

the word order guessing machine said it was cool

Thought of another potential vector here.

You know how some SaaS products, particularly enterprise ones, let you join a workspace/tenant by providing an email address at a given domain, so if you sign in with companya.com you go to Company A's tenant.

Yeah...I wonder how many surprises lurk if you sign in with deleteduser.com or any of the other plexfiltration domains....

Ok, if you are particularly sensitive to the effects of irony, I suggest you take a seat before reading further.

In what is perhaps the most perfect encapsulation of everything that this experiment has shown so far, last night, deleted-user.com received over 400 emails from the same organization.

This was an EU based tech firm.

The purpose of those emails? They were from the company's legal team, advising users of updated terms and conditions, and the first update was:

"Data protection: we added language explaining how we handle personal data under the GDPR"

#infosec #gdpr

Super interesting to note that, in the case of the internaluser.com defense contractor thingy, they must've realized their mistake very quickly - because there was a follow up email within the hour informing the @internaluser.com email that their email address on the system had been changed.

Unfortunately, that change did reveal an internal domain used by said defense contractor.

That's the thing with Plexfiltration, when it gets ya it's hard to escape without it getting ya some more.

internaluser.com has delivered again (the second busiest plexfiltration domain, after deleteduser.com)

This time, it has served up a password reset link for a web application operated by a major US defense contractor.

Seems fine.

One more new one today, some Australian restaurant thingy - nothing too crazy on its own, but they get a special shout out for....drumroll.....

De-identifying the names and other PII of their deleted users by Base64 encoding them!

Couple of new welcomes to the internet PII dumpster overnight:

- An app that manages payments for Car Washes - sent me full names, license plates of vehicles associated with a deleted account.

- EU based Microsoft Training Partner's privacy officer sent me a nice note sharing the email addresses of two people who had asked to be deleted, confirming that they had been deleted.

But a couple of good updates too:

- Nice email from UK ICO saying 'thanks for bringing this to our attention'.

- Email from the company that sent out 400+ emails in a single day saying, 'yikes thanks, we've passed this on internally'.

Got a second reply from a company. Don't think they really understood what I was saying as the reply was:

"Hi Mike,

Thank you for reaching out and expressing your interest in collaborating. At this time, we are not engaging in new marketing partnerships, guest posts, or link exchanges, but we will be sure to notify you should this change in the future."

K.

In case you were wondering about the stats, 55 orgs have been contacted about this practice, 1 has responded with a 'woah, shit, thanks'.

I just got given admin access to some Medicaid filing platform because I own the domain internaluser.com

#infosec