Brief introduction
DAO A/S operates dao (stylized lowercase, dao.as), a shipping provider principally based out of Denmark and ships domestically as well as selectively internationally.
Customers of dao are given a tracking number as their parcel dispatches which is automatically issued by the dao tracking number API.
Generating tracking numbers
dao gives us a helpful public API (that is presumably meant to be gated for integration partners only, both as a website and as a PDF, again, none of these are presumably meant to be public for everyone).
We can scrape semi-censored data of everyone, without any severe exploitation of the site, merely just by how they chose to do their tracking.
First we find a valid tracking number. Thankfully, for shipping companies you can usually just scour Trustpilot for a while and a few will pop up (I should mention, dao has a surprisingly high rating). Lars W, a customer, shared his tracking number, which goes: 00057151273338386376.
I searched up this number on dao’s website, and sure enough there’s semi-redacted name, general location and sender. Though I couldn’t help but notice the three leading zeros, indicating that this might not be a random number but rather a standard of some kind.
To save you the suspense: these numbers are literally barcodes. All you’re doing when you’re looking up a package is looking up the barcode, no alphanumeric codes.
This makes these codes trivial to generate.
We can scrape all previous and current live packages everywhere in the country. We can generate shipping labels that will exist minutes from now.
Quick explanation: They seem to be using GS1-128 compliant barcodes, not just for internal inventory management, but also as the tracking number for the end consumer itself.
To explain how this tool works, let’s examine a valid tracking number: 00057151273338386376, the initial 2 zeros are “application identifiers”, the next 4 digits are “company prefixes”, then comes the “serial reference” number: 127333838637. This is the part of the number we are able to iterate over, and the last digit is a modulo 10 checksum digit.
In the interest of not causing any service disruptions to DAO A/S, I’ve not attempted scraping large ranges of tracking numbers, however it is totally feasible for a malicious actor to do so.
Curious what your friends are buying? Or just want to do some volume espionage on a competing e-commerce retailer? Well we have a solution for that too!
After a bit of sleuthing, it turns out, from what I can infer, large retailers who have exclusivity or primary courier agreements with dao (i.e. you do not have a say what courier gets used for your package), this is another type of tracking number they accept: 7000802550621.
This is particularly interesting because 7008 presumably encodes a store. DAO specifies that this 13-digit tracking code always starts with a 7.
008 happens to encode Saxo.com, the dominant online bookstore in Denmark. There are more of these for large retailers.
This leads to some pretty unfortunate consequences. Since again, the number can be iterated through. Writing a script to daily-scrape the number, locations, identity inference, etc. can give competitors insights into retailers that otherwise would not be possible.
Congratulations.
Now you can safely check what books your friends buy, if Saxo.com is doing decent sales volume, where their sales volume is (via zip codes), where their can we infer if male or female, etc., not super great.
Especially not when there are seemingly no ratelimits, and even if introduced wouldn’t stop residential proxies or similar services from scraping it both retroactively and proactively.
A hypothetical misuse of the vulnerability
I. This would allow anyone to scan any new package shipped from dao in realtime to steal packages. They can also correlate names (since names are semi-censored with “stars”, but aren’t truncated, it is possible to infer names to cross-check that a specific person is not home when the package is delivered and when they usually pick it up), this could lead to an increase in package theft.
II. Directly spying on people. As mentioned if you even know vague details about the person you’re looking for (general area, first and last name), stalking their purchasing behaviour becomes trivial.
III. Being able to call up and re-route packages to a “drop house” (a house that’s either for sale/abandoned).
IV. Literally a live map of all parcels in Denmark, with packets showing exactly where they are in real time (i.e. sorting facility, sitting in driveway, picked up, etc.) by generating and requesting info on the latest tracking number generated, and keep track of packages until they’re delivered.
A solution
An effective, yet simple solution would be to simply put up a prompt for a password before showing this information. To make it backwards-compatible, it would be information already known by the sender or reciever, i.e. first or last name.
The upsides here are that the current barcode-based/insecure and generatable tracking numbers that we can look up right now, can stay the same without leaking citizens’ deliveries to everyone.
No malice
No excessive calls or collection of private information.
A suggestion to fix these vulnerabilities would be to require entering the first or last name of the receiver. This would effectively stop all attempts at scraping or active spying.
Update (Jan. 2026)
dao engineers and senior management was made aware of this privately on October 13th, this is over 110 days before making this article public. They not receptive to addressing this issue, in fact quite the opposite.
It was made clear a bounty would never have been accepted, and that this was an attempt at not having malicious actors track, categorize and weaponize sensitive data about the flow of packages within Denmark.
This is an insecure direct reference object vulnerability. Hopefully dao will reconsider their stance on this matter, and address the vulnerability.