Flawed US Postal Service API exposes data on 60 million users

The fault allowed users to access any USPS account using basic Google Chrome features

A significant flaw has been discovered in the website of the US Postal Service which exposed near real-time data about packages sent by commercial customers and, in some cases, allowed users to change information belonging to other account holders.

USPS was informed of the security flaw over a year ago, according to the researcher who made the discovery. Upon receiving a message from the researcher detailing the issue, industry expert Brian Krebs alerted USPS once again, which prompted the organisation to issue a fix.

Advertisement - Article continues below

The fault lay in the site's application programming interface (API) which was tied to its 'Informed Visibility' service, a tool that provides real-time tracking data to businesses and advertisers. The flaw not only exposed this information online, it also allowed any user that was logged in to usps.com to search the site and gain access to account details belonging to any other USPS user, including email addresses and phone numbers.

Even more alarmingly, because the API accepted 'wildcard' parameters, multiple or all records for a given data set such as a home address could be revealed without having to search anything more specifically. All of this could be done without special hacking tools, just a simple understanding of how to use the 'inspect element' feature in Chrome would suffice, according to the researcher.

Krebs also discovered that once inside another user's account, account changes could be requested, such as name or email address changes. Fortunately, USPS validation checks require account owners to validate any such changes by clicking on an email link, and so any such attempts would have been flagged.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Nicholas Weaver, a researcher at the International Computer Science Institute and lecturer at UC Berkeley told Krebs "this is not even Information Security 101, this is Information Security 1, which is to implement access control. It seems like the only access control they had in place was that you were logged in at all. And if you can access other people's' data because they aren't enforcing access controls on reading that data, it's catastrophically bad."

Speaking to IT Pro, Rusty Carter, VP of product management at Arxan said: "While APIs serve a great purpose in enhancing the functionality of many sites, this is just the latest example of how they can allow unauthorised and unexpected access to data they should not be allowed to display or serve up to anyone who uses them.

"When building out APIs, organisations and developers need to assume that all the data and functionality inside the app can be made directly available as a tool to any attacker."

APIs are usually highly functional tools that can enhance a website's functionality; they allow different apps to exchange data and communicate with each other. For example, Google Maps allows developers to use Google's API to include location and mapping data instead of having to do it themselves.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Most Popular

Visit/infrastructure/server-storage/355785/dell-emc-poweredge-r7525-review-an-epyc-core-density-to-make
Server & storage

Dell EMC PowerEdge R7525 review: An EPYC core density to make Intel weep

26 May 2020
Visit/infrastructure/network-internet/355792/intel-releases-wi-fi-and-bluetooth-driver-updates-for
Network & Internet

Intel releases Wi-Fi and Bluetooth driver updates for Windows 10

26 May 2020
Visit/operating-systems/microsoft-windows/355781/microsoft-confirms-further-issues-with-troublesome
Microsoft Windows

Microsoft's latest Windows 10 update is causing yet more issues

26 May 2020