USPS patches API flaw that exposed data on 60 million users (update)
The "Informed Visibility" API was a bit too good at its job.
The United States Postal Service reportedly patched an API exploit on Wednesday that would allow anyone with a USPS.com account to view other users' account details. The security flaw impacted some 60 million USPS users.
Per a Krebs on Security report, the flaw was first discovered more than a year ago by an independent security researcher, who informed the mail service but never received word back until Krebs reached out last week on the researcher's behalf.
The API was part of the USPS "Informed Visibility" program which is designed to help empower bulk mail senders with near real-time tracking data. Problem is, the API was programmed to allow any number of "wildcard" search parameters enabling anyone who logged into the system and had a basic understanding of modifying parameters in the web browser console could pull up reams of data on other users. Everything from usernames and account numbers to physical addresses and phone numbers were there for the taking.
"This is not even Information Security 101, this is Information Security 1, which is to implement access control," Nicholas Weaver, a researcher at the International Computer Science Institute, told Krebs. "It seems like the only access control they had in place was that you were logged in at all. And if you can access other peoples' data because they aren't enforcing access controls on reading that data, it's catastrophically bad and I'm willing to bet they're not enforcing controls on writing to that data as well."
Engadget has reached out the the USPS for comment and will update this post upon its reply.
Update 11/21/18 4:12pm ET: The a rep for the USPS has issued the following statement:
We currently have no information that this vulnerability was leveraged to exploit customer records. The information shared with the Postal Service allowed us to quickly mitigate this vulnerability.
Computer networks are constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information. Similar to other companies, the Postal Service's Information Security program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity.
Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously. Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.