Grand Canyon

WTF UPS ?

2016-08-26

So the other day (2016-08-24) I ordered a piece of workout equipment online from Dick's Sporting Goods. I recieved an email the next day saying the order was shipped. I know better than to think it is out the door and availible for tracking, but just for kicks I clicked through the tracking links to the UPS tracking page anyway. Normally I would expect to get a notice that the package had not arrived or been processed by UPS yet. What I actually got was shipment information for a package that was shipped on 5/19/2016 from Obetz, OH and arrived at Manhattan, KS on 5/23/2016. This seemed odd enough to me, that I responded to the Dick's notification email and asked them to check and update my shipping number. The response to this was an email stating "The mailbox you attempted to send your e-mail to is not monitored. However, we do want to hear from you!" They did include a phone number, which I called. After a pleasant conversation and a short wait, I was told that they do re-use tracking numbers and I would get updated tracking information after UPS processed the package. Now it is possible that tracking numbers do get re-cycled, but it seems like a bad idea. This UPS tracking number is 18 characters long mostly digits with upper-case alpha characters in at least 3 positions. (10.0**15)*(26.0*3) is 7.8e+16 - plenty of unique values for the forseeable future.

Anyway, I figured I could just wait a day and see if it gets straightened out. So the next day, I checked again. Well, it looks like I am going to get the Bosu I ordered, it may even be delivered tomorrow, but the records are still tangled up with someone elses order from back in May. Below is a screen-shot of the Shipment Progress from the tracking page as of 10PM Eastern time on 8/26/2016.

UPS Shipping Progress From UPS tracking page

It appears that yes, my tracking number was recycled, and it also appears that some of the previous data associated with that tracking number was not expired in the database. Or perhaps there is some other failure. In any case, we have a bug in code here. I briefly considered trying to report this to UPS, but quickly dropped the idea. I have no idea who to contact, and from past experiences reporting bugs to software vendors when I did have contact information, I figured it would just be a frustrating experience. I can't imagine how security researchers manage to get issues reported to the right people, let alone get the proper action taken.