US Postal Service suffers data breach that exposed 60 million users’ data
- The flaw could allow hackers to modify users’ account details without their knowledge or consent.
- The breach was caused by a vulnerable API that was a part of the USPS ‘Informed Visibility’ program, which has been designed to simplify the job of mail senders.
The US Postal Service (USPS) suffered a data breach that may have exposed the personal information of around 60 million users. USPS issued out a patch to a year-old API flaw that allowed anyone with a account on usps.com to view the accounts of around 60 million other users. The flaw could also allow hackers to modify users’ account details without their knowledge or consent.
According to a report by KrebsOnSecurity, the flaw was first discovered by an independent security researcher more than a year ago.
Where does the flaw reside?
The API in question is a part of the USPS ‘Informed Visibility’ program, which has been designed to simplify the job of mail senders. The program provides bulk mail senders access to real-time tracking data about their packages and mail campaigns.
By exploiting the API’s wildcard search parameter, hackers could not only access the tracking data of customers, but also their email address, usernames, user IDs, account numbers, street addresses, phone numbers, mailing campaign data and more.
What is more, no special hacking tool was required to exploit the API’s flaw. A basic understanding of how to modify the parameters in the web browser console was enough to pull out a stream of confidential data of users from the site.
“This is not even Information Security 101, this is Information Security 1, which is to implement access control,” Nicholas Weaver, a researcher at the International Computer Science Institute, told Brian Krebs. "It seems like the only access control they had in place was that you were logged in at all. And if you can access other people's' data because they aren't enforcing access controls on reading that data, it's catastrophically bad and I'm willing to bet they're not enforcing controls on writing to that data as well."