Ad-Blokker Cyber Security Blog

I try to blog about Cyber Security related topics

PostNL website redirect quirks ~ Post 001

This blogpost has a Interesting Rating of LOW, this was found during an internet deep dive

Observation

The Netherlands largest post distributor is Koninklijke PostNL B.V. | Royal PostNL.
Part of being a company in the 21st century is having a website.
A website needs domains.
PostNL has several domains, but their main one is:

  • postnl.nl

You would think how fun would it be if they also owned:

  • post.nl

They do own [post.nl] but this “tries” to redirect you to their main domain [postnl.nl] but here is were some problems occur.

When you try to go to the specific URL [https://post.nl/] then you will get this nice message:

Yes I use darkreader, fight me

And when you try the specific URL [https://www.post.nl/] or [http://www.post.nl/] it won’t load at all

Fun side note, the specific URL [http://www.post.nl/] previously displayed the following message:

Translation: There is no website active for the supplied domain name

Reporting the finding

I as a responsible person I TRIED to report this to PostNL.

PostNL has a responsible disclosure page were you can easily report vulnerabilities. The thing is this is neither a vulnerability nor a direct risk to them. This finding also is out-of-scope according to their responsible disclosure page. So I went searching for other options, like the contact page on their website.

On their website you can choose the following contact options:

  • Their godawful bot

That’s all you get. Don’t believe me? See for yourself:

You NEED to use the bot on the website to get other contact options, why just why?

Okay so you use the bot to get the contact options

  • Send a letter (Duh they are THE postal company)
  • Online Chat (Only in Dutch)
  • Call them
  • Facebook
  • Twitter

You can see that an option to send an email is missing.

So I tried to contact them via the Live Chat.

Plan A (trying to get an email address)

I tried to ask them for an contact email address. They assured me that no email addresses for their company are available. Absolutely none! How? I don’t know either.

Plan B (Twitter support)

Fallback to Twitter as the Live Chat has no option of seeing links or screenshots… Fun thing about twitter support is that if you ask such a company a question an random agent will respond, this means you will be facing somebody else every time when you try to have a conversation.

Twitter also breaks the links because it transforms them to t.co links, so that ship sailed right away but I could still send screenshots and try to get the point across that this should be escalated to their internal IT team.

Their twitter team also reported that they can’t see links. And they completely disregarded or did not understand what I was trying to report. They tried to blame the problem on me because if they just typed [post.nl] in the address bar it worked. It tried again to explain that it only doesn’t work when you type it in the other ways I presented.

I put the links in an email (more on that later) with explanation and screenshots and made a screenshot of that email and send it. The support agent couldn’t see the image I send either. When I pointed out they should be able and the Live Chat told me so another support agent responded back that they could see the image after all!

The agent told that this is likely an iOS issue, funny thing is, I did not hint or ever mentioned iOS to them. Even better, I don’t own a iOS device. I replied that this a issue on ALL platforms.
They replied that this “issue” mostly happens on iOS devices and that the department involved is aware.
I really tried to explain that this has nothing to do with device type, browser or OS.

After a lot of back and forwarding a support agent reported that this is forwarded to the correct department and they hoped it was solved soon.

About a month later the problem was still present, therefore I reminded them again on Twitter and they assured me again that the issue was forwarded again, until today, no further response or solution is present.

But one more try was done while executing plan B

Plan C? (Bruteforce email addresses)

They told me that no email addresses are available to email to, this is very hard to believe to me, a company this size and this digital presence should have internal email for communicating right?

So I tried to send to the following list of email addresses gained from just making up email address and finding old mentions to them on the internet.

  • integrity@postnl.com
  • contact@postnl.nl
  • info@postnl.nl
  • it@postnl.com
  • it@postnl.nl
  • contact@postnl.com
  • post@postnl.com
  • servicedesk@postnl.com
  • servicedesk@postnl.nl
  • website@postnl.nl
  • app@postnl.nl
  • support@postnl.nl

Result?

Almost all the emails gave a undeliverable report from the postmaster email address from Microsoft Office 365. This means that there is a email server active for the domain but the supplied email address is not valid.
But a few did not get reported back in the undeliverable emails from Office 365:

  • integrity@postnl.com
  • info@postnl.nl
  • app@postnl.nl

This means that these email address are most likely active and able to receive emails and got my email in their inbox.

It is possible that one of the email addresses forwards to an external email address because I got this email from [info@toppak.nl] which makes it hard to say which of the above three working email responds back with this.

The email in Dutch that came back as response

Translation of the email:

Dear mailer,

Thank you for taking the time to email us. Unfortunately, this e-mail address is not active and we do not read your e-mail. This is an automatic response.

Of course we are happy to help you further. Please contact our customer service via postnl.nl/customer service. We are there for all your questions about PostNL.

Yours sincerely,

The PostNL team

Conclusion

No actual response in either fixing the website/domain or in a email back has been given as of writing this (17-05-2022).

Lessens learned? I will not be reporting non directly business impacting stuff to PostNL again.

When I would find something that is indeed something that has a lot of priority then I will send a responsible disclosure via their official way. But only if I apply to the conditions for their responsible disclosure clause. (This finding is Out-of-scope according to PostNL)
So if you, the reader has something that is of high priority to report to PostNL and you meet the conditions then you can use this link:

https://www.postnl.nl/en/responsible-disclosure/

Thank you for reading! ❤️


Leave a Reply

Your email address will not be published. Required fields are marked *