US Postal Service Left 60 Million Users Data Exposed For Over a Year
by alixavi - 11-26-2018, 09:34 PM
The United States Postal Service has patched a critical security vulnerability that exposed the data of more than 60 million customers to anyone who has an account at the website.

The U.S.P.S. is an independent agency of the American federal government responsible for providing postal service in the United States and is one of the few government agencies explicitly authorized by the United States Constitution.

The vulnerability is tied to an authentication weakness in an application programming interface (API) for the USPS "Informed Visibility" program designed to help business customers track mail in real-time.
60 Million USPS Users' Data Exposed

According to the cybersecurity researcher, who has not disclosed his identity, the API was programmed to accept any number of "wildcard" search parameters, enabling anyone logged in to to query the system for account details belonging to any other user.

In other words, the attacker could have pulled off email addresses, usernames, user IDs, account numbers, street addresses, phone numbers, authorized users and mailing campaign data from as many as 60 million USPS customer accounts.

"APIs are turning out to be a double-edged sword when it comes to internet scale B2B connectivity and security. APIs, when insecure, break down the very premise of uber connectivity they have helped establish," Setu Kulkarni, VP of strategy and business development at WhiteHat Security told The Hacker News.

"To avoid similar flaws, government agencies and companies must be proactive, not just reactive, in regards to application security. Every business that handles consumer data needs to make security a consistent, top-of-mind concern with an obligation to perform the strictest security tests against vulnerable avenues: APIs, network connections, mobile apps, websites, and databases. Organizations that rely on digital platforms need to educate and empower developers to code using security best practices throughout the entire software lifecycle (SLC), with proper security training and certifications."

USPS Ignored Responsible Disclosure For Over a Year

What's More Worrisome?

The API authentication vulnerability also allowed any USPS user to request account changes for other users, such as their email addresses, phone numbers or other key details.
The worst part of the whole incident was the USPS handling of responsible vulnerability disclosure.

The unnamed researcher reportedly discovered and responsibly reported this vulnerability last year to the Postal Service, who ignored it and left its users’ data exposed until last week when a journalist contacted USPS on behalf of the researcher.

And then, the Portal Service addressed the issue within just 48 hours, journalist Brian Krebs said.

"While we're not sure whether anyone actually took advantage of the vulnerability, it did reportedly exist for a whole year, so we should assume the worst," Paul Bischoff, privacy advocate with Comparitech told The Hacker News.

USPS Responds by Saying:

"We currently have no information that this vulnerability was leveraged to exploit customer records."

"Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law."

I still feel like this isn't being spoken about enough. Interested in what the other key details in it are.
It’s government. They just don’t care.
I think that it's not a big deal. I worry more about Facebook and their often security breaches to hackers. That's what fear me the most.
that's just ridiculous imo
They will fix this problem very soon. But this should be a signal for all government services, and websites. As for me, I don't use USPS for quite an amount of time. Instead, using email is much faster and more secure. Besides, for me, who works for using the Internet is vital. It enables me to deliver everything I need in a few seconds.
I saw this article on the news and it honestly surprised me that they wouldn't listen to a security researcher that found such a gigantic flaw in their system. More government agencies and government backed companies need to get more security since the age of Cyber War has already started to happen around the internet.

Possibly Related Threads…
Thread Author Replies Views Last Post
Another Facebook Leak of over 540 million records DarthDread 29 2,454 07-12-2019, 10:44 AM
Last Post: HassoHack
Two Romanian Cybercriminals Convicted of All 21 Counts Relating to Infecting Over 400 Fugitifer 1 186 04-12-2019, 04:39 PM
Last Post: cryptoaccstore
620 Million Online Accounts Data Stolen from 16 Hacked websites TheCoreMan 25 2,150 03-29-2019, 12:35 AM
Last Post: marcosbezerra

 Users browsing this thread: 1 Guest(s)