A significant flaw was recently discovered in the website of the United States Postal Service, enabling anybody who has an account on usps.com to view the account details of up to 60 million other users. In a handful of cases they were even able to modify certain account details without the other person knowing, such as their email address or phone number.
The issue was caused by a security weakness in the website’s application programming interface, or API. This was tied to the Postal Service’s ‘Informed Visibility’ feature, which is designed to provide real-time mail tracking data to business customers.
Not only did it expose almost real-time information about mail being sent by commercial customers, it also allowed users to query the system for account details belonging to others. This included data such as email addresses, account numbers, street addresses, phone numbers, user IDs and much more. There was also evidence that thieves were abusing this feature to track mail arriving at customers homes in order to go and steal any important documents or packages.
More worryingly, many of this API’s features also accepted “wildcard” search parameters, meaning a user could return all of the records for a certain data set without needing to search for any specific terms. No hacking tools of any sort were needed to access this data, rather users just needed to know how to view and modify the data elements processed by a normal Web browser such as Google Chrome or Mozilla Firefox.
Perhaps the most concerning thing about this incident is that USPS was informed about it approximately a year ago, but chose to ignore it. An unnamed researcher discovered and reported the vulnerability, but nothing was done until a journalist then re-contacted the Postal Service last week. Within 48 hours the security flaw had been patched, but it remains a concern for other USPS users taking advantage of the ‘Informed Visibility’ tool.
Thankfully, it does not appear that any user passwords were exposed via this issue, and USPS states that it doesn’t have any reason to believe that the vulnerability was being used to exploit user records. The company reassured customers that “the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law”.