Flawed US Postal Service API exposes data on 60 million users

The fault allowed users to access any USPS account using basic Google Chrome features

A significant flaw has been discovered in the website of the US Postal Service which exposed near real-time data about packages sent by commercial customers and, in some cases, allowed users to change information belonging to other account holders.

USPS was informed of the security flaw over a year ago, according to the researcher who made the discovery. Upon receiving a message from the researcher detailing the issue, industry expert Brian Krebs alerted USPS once again, which prompted the organisation to issue a fix.

The fault lay in the site's application programming interface (API) which was tied to its 'Informed Visibility' service, a tool that provides real-time tracking data to businesses and advertisers. The flaw not only exposed this information online, it also allowed any user that was logged in to usps.com to search the site and gain access to account details belonging to any other USPS user, including email addresses and phone numbers.

Even more alarmingly, because the API accepted 'wildcard' parameters, multiple or all records for a given data set such as a home address could be revealed without having to search anything more specifically. All of this could be done without special hacking tools, just a simple understanding of how to use the 'inspect element' feature in Chrome would suffice, according to the researcher.

Krebs also discovered that once inside another user's account, account changes could be requested, such as name or email address changes. Fortunately, USPS validation checks require account owners to validate any such changes by clicking on an email link, and so any such attempts would have been flagged.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Nicholas Weaver, a researcher at the International Computer Science Institute and lecturer at UC Berkeley told Krebs "this is not even Information Security 101, this is Information Security 1, which is to implement access control. It seems like the only access control they had in place was that you were logged in at all. And if you can access other people's' data because they aren't enforcing access controls on reading that data, it's catastrophically bad."

Speaking to IT Pro, Rusty Carter, VP of product management at Arxan said: "While APIs serve a great purpose in enhancing the functionality of many sites, this is just the latest example of how they can allow unauthorised and unexpected access to data they should not be allowed to display or serve up to anyone who uses them.

"When building out APIs, organisations and developers need to assume that all the data and functionality inside the app can be made directly available as a tool to any attacker."

APIs are usually highly functional tools that can enhance a website's functionality; they allow different apps to exchange data and communicate with each other. For example, Google Maps allows developers to use Google's API to include location and mapping data instead of having to do it themselves.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354577/data-protection-fines-hit-ps100m
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020