Categories: News

Royal Mail online tracking returns — with a frustrating captcha that works half the time

Royal Mail Track & Trace website appears to have returned after an outage that spanned a week, but with a caveat—anybody who wants to track a piece of mail or parcel must solve a captcha which is rather difficult, according to users.

Your parcel is one too many chickens away!

As observed by Security Report this morning, Royal Mail’s Track & Trace website is back up online with a drastic change: it requires users to solve a captcha before they can track their mail and packages.

This also applies to users visiting tracking links containing parcel tracking numbers in them, such as:

royalmail.com/track-your-item#/tracking-results/QR123456789GB

Except the difficulty level for this security puzzle seems to be higher than regular captchas, and that has left users angry:

Others have compared this to a “data mining” challenge requiring way too much effort:

DDoS unconfirmed but the mitigations indicate otherwise

Royal Mail has still not commented on the cause of the mysterious outage that lasted a week leaving British residents who heavily rely on the mail service in limbo. But the mitigations suggested by Royal Mail thus far and the introduction of the captcha challenge today hint at the mail provider trying to contain a DDoS attack.

Last week, I observed the Trace and Trace web API returning a HTTP 429/”Too many requests” status code when attempting to check the status of a parcel. This was seen again today on certain attempts, despite successfully solving the captcha:

A Royal Mail spokesperson had also earlier suggested that users download the Royal Mail mobile app for tracking while the Track & Trace website was down. The web app requires you to verify an email address should you want to submit more than 5 tracking requests one after another—which is yet another deterrent to excessive requests from bots (or DDoS attackers).

Responding to frustrated users on Twitter today, Royal Mail said, it is using “Google’s reCaptcha to protect our website to prevent any form of malware, viruses or phishing so we can make it accessible to a higher number of genuine customers and ensure a consistent performance.”

Note, however, the captcha put in place by Royal Mail is powered by hCaptcha, developed by a different company than Google’s reCaptcha. And, the reasoning given in the tweets is rather vague. As technologists may know, the primary purpose of a captcha is to limit bots, DDoS attacks, and fake accounts or submissions rather than prevent “malware, viruses or phishing.”

Earlier this month, Royal Mail had suffered a customer data leak exposing member information to each other which compelled the mail service to suspend its Click & Drop website.

While Royal Mail remains tight lipped on what’s truly causing these cyber incidents, the timing of these technological slip-ups coincides with the ongoing CWU member strikes making the matter all the more interesting.


Promotion: For increased privacy when browsing the internet or connecting to public Wi-Fi hotspots, download NordVPN.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

11 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

12 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

12 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

12 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.