USPS API Security Flaw Exposed 60 Million Users’ Data

A flaw on the website of the U.S. Postal Service (USPS) reportedly exposed account data for an estimated 60 million users, KrebsOnSecurity reported Wednesday (November 21).

An anonymous researcher warned the publication of the security flaw on the USPS website. Anyone with an account on USPS.com could gain access to the user data of about 60 million people and, reports said, could in some cases modify that data.

Perhaps more troubling is that the researcher allegedly warned USPS about the security issue a year ago but did not receive a response.

The security flaw stems from the USPS‘s API, part of the USPS’s “Informed Visibility” initiative that allows businesses and bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about their mail campaigns. The API enabled senders to gain visibility into the progress of a package but the security flaw reportedly exposes that data of commercial clients.

Further, KrebsOnSecurity said, anyone with a USPS online account could access user data including email addresses, user IDs, usernames, account numbers, street addresses, phone numbers and other information. The researcher found that the API accepted so-called “wildcard” search parameters, allowing users to search for all data without having to provide specific search terms.

“No special hacking tools were needed to pull this data,” KrebsOnSecurity noted, “other than knowledge of how to view and modify data elements processed by a regular web browser like Chrome or Firefox.”

“This is not even Information Security 101, this is Information Security 1, which is to implement access control,” said Nicholas Weaver, an International Computer Science Institute researcher and University of California Berkeley speaker, in an interview with the publication. “It seems like the only access control they had in place was that you were logged in at all. And if you can access other peoples’ data because they aren’t enforcing access controls on reading that data, it’s catastrophically bad and I’m willing to bet they’re not enforcing controls on writing to that data as well.”