The United States Postal Service had a serious security vulnerability which had exposed the data of more than 60 million users to anyone with an USPS.com website account and it was patched.
The U.S.P.S. is an independent agency of the American federal government that provides postal service in the United States and is explicitly authorized by the United States Constitution.
The vulnerability is due to an authentication transparency in an application programming interface (API) for the USPS called “Informed Visibility” program that enabled the business customers to track mail in real-time.
60 Million USPS Users’ Data Exposed
The cybersecurity researcher whose identity was not disclosed stated that the API was programmed in such a way that it can accept as many “wildcard” search parameters thereby permitting anyone logged in to usps.com to query the system for account details belonging to any other user.
So, an attacker can get details such as email addresses, usernames, user IDs, account numbers, street addresses, phone numbers, authorized users and mailing campaign data from as many as 60 million USPS customer accounts.
VP of strategy and business development at WhiteHat Security, Setu Kulkarni said that APIs are becoming a threat when it comes to internet scale B2B connectivity and security. When insecure, APIs break down the very premise of uber connectivity they have helped establish. To avoid such flaws the government agencies and companies must be proactive in regards to application security. All business that handles consumer data must give security the topmost concern with the commitment to perform the uncompromising security tests against vulnerable avenues: APIs, network connections, mobile apps, websites, and databases. Organizations that depend on digital platforms must educate their developers to code using the best security practices throughout the entire software lifecycle (SLC), with proper security training and certifications.
USPS Ignored Responsible Disclosure For Over a Year
This vulnerability let any USPS user to request account changes for other users, such as their email addresses, phone numbers or other details. The way USPS handled the responsible vulnerability disclosure was even worse.
The researcher discovered and responsibly reported this vulnerability last year to the Postal Service but they ignored it and left the users’ data exposed until last week when a journalist contacted USPS on behalf of the researcher.
Later the Portal Service addressed this issue within 48 hours and they responded that they have no information that this vulnerability was leveraged to exploit customer records.
Postal Service is currently investigating to ensure that anyone who had tried to access their systems inappropriately is pursued to the fullest extent of the law.