The vulnerability persisted on the Postal Service website for almost a year
Cybersecurity and digital forensics specialists from the International Institute of Cyber Security reported that the United States Postal Service has corrected a security vulnerability (ranked as critical), due to which data of over 60 million users who are registered on the usps.com website were exposed.
The US Postal service is an independent agency of the US federal government. This office is responsible for managing and providing the postal service throughout the United States, and is one of the few government agencies explicitly mentioned in the United States Constitution.
According to reports from experts in digital forensics, the flaw is linked to a weakness of authentication in an application programming interface (API) for the Postal Service’s “Informed Visibility” program, designed to help enterprise customers to track their mail in real time.
According to the investigators who revealed the security incident, the API in question was scheduled to accept any number of “wildcard” search parameters, which allowed any usps.com account holder to perform queries in the system to get details of accounts belonging to other users.
In other words, an attacker may have obtained email addresses, usernames, user IDs, account numbers, addresses, phone numbers, and postal information for up to 60 million users with account at usps.com.
“APIs are becoming a double-edged weapon when it comes to Internet-scale connectivity and B2B security. The APIs, when unsafe, break the premise of the connectivity they have helped to establish,” says Setu Kulkarni, a digital forensics specialist at WhiteHat Security.
The Postal Service fixes the vulnerability almost a year later
The API authentication vulnerability also allowed any Postal Service user to request account changes for other users, for example, they could modify their email addresses, phone numbers, or other sensitive details. The worst part of the whole incident was the handling that the Postal Service gave to the disclosure of the vulnerability.
Although it has not been confirmed, researchers are believed to have discovered the vulnerability and reported it responsibly to the Postal Service officials; however, the office ignored the warnings, leaving users’ data unprotected for almost 12 months, until a journalist contacted the Postal Service on behalf of the investigators.
Subsequently, the Portal service corrected the problem (a task that only took them 48 hours), said journalist Brian Krebs.
“Although there is no evidence so far that someone has exploited the vulnerability, it is known that it remained present for almost a year, so the panorama doesn’t seem so good,” said Paul Bischoff, a digital rights activist.
On the other hand, the Postal Service stated: “So far we do not have information to confirm that the vulnerability has been exploited.
The Postal Service continues to investigate the incident to ensure that any malicious user will be processed by the authorities”.