Governance , Vulnerability Assessment & Penetration Testing (VA/PT)

US Postal Service Plugs API Flaw - One Year Later

Flaw Exposed Personal Data for 60 Million 'Informed Visibility' Accounts
US Postal Service Plugs API Flaw - One Year Later
Photo: U.S. Postal Service

A vulnerability in a U.S. Postal Service application for tracking mail in real time would have allowed anyone logged into the service to view personal data for as many as 60 million accounts.

See Also: Webinar | Beyond Managed Security Services: SOC-as-a-Service for Financial Institutions

USPS fixed the error within 48 hours, according to information security blogger Brian Krebs, who alerted the organization after he received a tip from an anonymous security researcher.

Krebs reports, however, that his source told USPS of the problem more than a year ago. The issue wasn't fixed then, and USPS apparently never responded to the researcher.

"We currently have no information that this vulnerability was leveraged to exploit customer records. The information shared with the Postal Service allowed us to quickly mitigate this vulnerability."
—USPS

In a statement, USPS says the incident is under investigation and that it doesn't believe others took advantage of the problem.

"We currently have no information that this vulnerability was leveraged to exploit customer records," USPS says. "The information shared with the Postal Service allowed us to quickly mitigate this vulnerability.

"Computer networks are constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information," it continued. "Similar to other companies, the Postal Service's Information Security program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity."

Colin Bastable, CEO of Lucy Security, says that USPS's "inexcusable delay in rectifying the problem has exposed millions to the risk of cybercrime. The USPS breach is yet another example of the dreadful risks that American consumers take every day, simply by going about their daily business online."

Full Query Access

The apparent source of the issue was an authentication-related vulnerability within an application programming interface, or API, for USPS's Informed Visibility service, which provides tracking updates for letters, flat mail, bundles and containers for business customers.

Krebs writes that the vulnerability allowed anyone with an account to query the database behind it. The API also accepted wildcard parameters, which meant that all records for a particular data set would be returned without the need for precise search terms, he writes.

The problem at USPS is just the latest example of developers having failed to properly limit access to an API, says Rusty Carter, vice president of product management with the application security company Arxan.

Without proper access controls, "developers need to assume that all the data and functionality inside the app can be made directly available as a tool to any attacker," Carter says.

Krebs writes that searching for an email address, for example, could return account information for not only one user, but any other accounts that were also registered at the same postal address.

The personal data in the Informed Visibility accounts can include email addresses, usernames, user IDs, account numbers, street addresses, phone numbers, authorized users and mailing campaign data, Krebs writes.

Krebs reports that it appeared before the issue was fixed that someone could change personal information for another user. He tried to modify the email address for his account. Fortunately, USPS sends a confirmation email that requires a user to click a link to confirm a change.

Disclosure Issues, Once Again

The fact that USPS apparently didn't heed the advice of the security researcher is particularly worrisome, but far from unheard of. It's unclear why companies and organizations either ignore or fail to take seriously tips from anonymous researchers.

And that's a source of endless frustration in the security community. Even well-known security pros who disclose issues have been ignored, which has caused some to tweet or publicize their findings in the hope that some resulting embarrassment will trigger action.

Researchers often take their findings to the news media if they don't get a response from an organization they've alerted. Queries to press offices often appear to get prioritized, potentially over fears that they will spark negative news stories.

Jeremiah Grossman, CEO of Bit Discovery, humorously tweeted that security professionals should consider classifying themselves as journalists when approaching organizations. "Idea: Start disclosing vulns as a 'journalist' instead of a 'security researcher' and let's see what happens," Grossman tweeted.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.