Do you have an account on USPS.com? If so, you’re not alone. Tens of millions of Americans use it daily for a variety of purposes. Unfortunately, if you do have an account, it may have been compromised.
Recently, the USPS announced the discovery of a critical security vulnerability that exposed the account information of more than sixty million customers to literally anyone with a USPS.com account.
The flaw was discovered by a researcher who has chosen to keep his/her identity a secret, but essentially worked like this:
Any user logged into USPS.com could perform a search using any number of wildcard search parameters. Given that, any user could search for the details of literally any other user on the system and get them. Note that nearly any detail could be collected in this manner, including:
Worst of all, the process of obtaining all the data could easily be automated and simply left to run and collect.
Setu Kulkarni, the VP of Strategy and Business Development at WhiteHat Security had this to say about the flaw:
“APIs are turning out to be a double-edged sword when it comes to internet scale B2B connectivity and security. APIs, when insecure, break down the very premise of uber connectivity they have helped establish.
To avoid similar flaws, government agencies and companies must be proactive, not just reactive, in regard to application security. Every business that handles consumer data needs to make security a consistent, top-of-mind concern with an obligation to perform the strictest security tests against vulnerable avenues: APIs, network connections, mobile apps, websites, and databases. Organizations that rely on digital platforms need to educate and empower developers to code using security best practices through the entire software lifecycle, with proper security training and certifications.”
The worst part about this incident was the fact that the unnamed security researcher reported the issue to the post office over a year ago. It took that long for the agency to finally take action, and when they did, they were able to solve the problem in less than 48 hours.
While it’s unknown if anyone took advantage of the flaw, there’s no sense taking chances. Assume the worst and act accordingly.