Massive Vulnerability Exposed at USPS

concept of leaky software, data pouring out of pipe. 3d illustration

Krebs on Security reported a security weakness that affected millions of USPS customers. The vulnerability in question allowed anyone with an account on USPS.com to view granular information about the site’s more than 60 million users.

In what has become an all too familiar scenario, Krebs on Security was contacted by a researcher who discovered the problem a year earlier. Nothing was done. A day after Krebs contacted the organization, the problem was resolved.

At issue was a functionality called “application program interface,” or API, which is, to keep it simple, the way apps and websites communicate with a site.

According to Krebs,

The API in question was tied to a Postal Service initiative called “Informed Visibility,” which according to the USPS is designed to let businesses, advertisers and other bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages.

In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers, the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.

Many of the API’s features accepted “wildcard” search parameters, meaning they could be made to return all records for a given data set without the need to search for specific terms. No special hacking tools were needed to pull this data, other than knowledge of how to view and modify data elements processed by a regular Web browser like Chrome or Firefox.

Here’s the takeaway: The vulnerability was serious.

There was a sufficient amount of personal information involved to create myriad safety and security issues, among them letting anyone see where a person lives. Additionally, there is more than enough information to help a criminal design a variety of persuasive phishing emails, since the API allows people to track packages in transit and other USPS.com offerings.

For more, read the Krebs article.