US Postal Service exposes the data of 60 Million of its users
A flaw on the website of the U.S. Postal Service (USPS) reportedly exposed account data for an estimated 60 million users, KrebsOnSecurity reported recently.
An anonymous researcher warned the publication of the security flaw on the USPS website. Anyone with an account on USPS.com could gain access to the user data of about 60 million people and, reports said, could in some cases modify that data.
Perhaps more troubling is that the researcher allegedly warned USPS about the security issue a year ago but did not receive a response.
The security flaw stems from USPS’ Application Program Interface (API) — basically, a set of tools defining how various parts of an online application such as databases and Web pages should interact with one another. The API in question was tied to a Postal Service initiative called “Informed Visibility” that allows businesses and bulk mail senders to “make better business decisions by providing them with access to near real-time tracking data” regarding their mail campaigns. The API enabled senders to gain visibility into the progress of a package but the security flaw reportedly exposes that data of commercial clients.
Further, KrebsOnSecurity said, anyone with a USPS online account could access user data including email addresses, user IDs, usernames, account numbers, street addresses, phone numbers and other information. The researcher found that the API accepted so-called “wildcard” search parameters, allowing users to search for all data without having to provide specific search terms.
“No special hacking tools were needed to pull this data,” KrebsOnSecurity noted, “other than knowledge of how to view and modify data elements processed by a regular web browser like Chrome or Firefox.”
“This is not even Information Security 101, this is Information Security 1, which is to implement access control,” said Nicholas Weaver, an International Computer Science Institute researcher and University of California Berkeley speaker, in an interview with the publication. “It seems like the only access control they had in place was that you were logged in at all. And if you can access other peoples’ data because they aren’t enforcing access controls on reading that data, it’s catastrophically bad and I’m willing to bet they’re not enforcing controls on writing to that data as well.”
Pulling the plug doesn't have to be your only security solution.
Don’t become part of a rising statistic — ensure your company is armed against a security hack.