The United States Postal Service has patched a critical security vulnerability that exposed the data of more than 60 million customers to anyone who has an account at the USPS.com website.
The U.S.P.S. is an independent agency of the American federal government responsible for providing postal service in the United States and is one of the few government agencies explicitly authorized by the United States Constitution.
The vulnerability is tied to an authentication weakness in an application programming interface (API) for the USPS "Informed Visibility" program designed to help business customers track mail in real-time.
According to the cybersecurity researcher, who has not disclosed his identity, the API was programmed to accept any number of "wildcard" search parameters, enabling anyone logged in to usps.com to query the system for account details belonging to any other user.
In other words, the attacker could have pulled off email addresses, usernames, user IDs, account numbers, street addresses, phone numbers, authorized users and mailing campaign data from as many as 60 million USPS customer accounts.
"APIs are turning out to be a double-edged sword when it comes to internet scale B2B connectivity and security. APIs, when insecure, break down the very premise of uber connectivity they have helped establish," Setu Kulkarni, VP of strategy and business development at WhiteHat Security told The Hacker News.
"To avoid similar flaws, government agencies and companies must be proactive, not just reactive, in regards to application security. Every business that handles consumer data needs to make security a consistent, top-of-mind concern with an obligation to perform the strictest security tests against vulnerable avenues: APIs, network connections, mobile apps, websites, and databases. Organizations that rely on digital platforms need to educate and empower developers to code using security best practices throughout the entire software lifecycle (SLC), with proper security training and certifications."
What's More Worrisome?
The API authentication vulnerability also allowed any USPS user to request account changes for other users, such as their email addresses, phone numbers or other key details.
The worst part of the whole incident was the USPS handling of responsible vulnerability disclosure.
The unnamed researcher reportedly discovered and responsibly reported this vulnerability last year to the Postal Service, who ignored it and left its users' data exposed until last week when a journalist contacted USPS on behalf of the researcher.
And then, the Portal Service addressed the issue within just 48 hours, journalist Brian Krebs said.
"While we're not sure whether anyone actually took advantage of the vulnerability, it did reportedly exist for a whole year, so we should assume the worst," Paul Bischoff, privacy advocate with Comparitech told The Hacker News.
"We currently have no information that this vulnerability was leveraged to exploit customer records."
"Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law."
The U.S.P.S. is an independent agency of the American federal government responsible for providing postal service in the United States and is one of the few government agencies explicitly authorized by the United States Constitution.
The vulnerability is tied to an authentication weakness in an application programming interface (API) for the USPS "Informed Visibility" program designed to help business customers track mail in real-time.
60 Million USPS Users' Data Exposed
According to the cybersecurity researcher, who has not disclosed his identity, the API was programmed to accept any number of "wildcard" search parameters, enabling anyone logged in to usps.com to query the system for account details belonging to any other user.
In other words, the attacker could have pulled off email addresses, usernames, user IDs, account numbers, street addresses, phone numbers, authorized users and mailing campaign data from as many as 60 million USPS customer accounts.
"APIs are turning out to be a double-edged sword when it comes to internet scale B2B connectivity and security. APIs, when insecure, break down the very premise of uber connectivity they have helped establish," Setu Kulkarni, VP of strategy and business development at WhiteHat Security told The Hacker News.
"To avoid similar flaws, government agencies and companies must be proactive, not just reactive, in regards to application security. Every business that handles consumer data needs to make security a consistent, top-of-mind concern with an obligation to perform the strictest security tests against vulnerable avenues: APIs, network connections, mobile apps, websites, and databases. Organizations that rely on digital platforms need to educate and empower developers to code using security best practices throughout the entire software lifecycle (SLC), with proper security training and certifications."
USPS Ignored Responsible Disclosure For Over a Year
What's More Worrisome?
The API authentication vulnerability also allowed any USPS user to request account changes for other users, such as their email addresses, phone numbers or other key details.
The worst part of the whole incident was the USPS handling of responsible vulnerability disclosure.
The unnamed researcher reportedly discovered and responsibly reported this vulnerability last year to the Postal Service, who ignored it and left its users' data exposed until last week when a journalist contacted USPS on behalf of the researcher.
And then, the Portal Service addressed the issue within just 48 hours, journalist Brian Krebs said.
"While we're not sure whether anyone actually took advantage of the vulnerability, it did reportedly exist for a whole year, so we should assume the worst," Paul Bischoff, privacy advocate with Comparitech told The Hacker News.
USPS Responds by Saying:
"We currently have no information that this vulnerability was leveraged to exploit customer records."
"Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law."