Early this week, the U.S.Postal Service patched an API exploit that could allow users with an account on USPS.com to view other users’ account details and also modify account details on their behalf. This exploit had an impact on 60 million USPS users.
KrebsOnSecurity was contacted last week by a researcher who discovered the problem, but who asked to remain anonymous. According to KrebsOnSecurity, “The researcher said he informed the USPS about his finding more than a year ago yet never received a response. After confirming his findings, KrebsOnSecurity contacted the USPS, which promptly addressed the issue.”
The problem was discovered from an authentication weakness in a USPS Web component- API, which was a part of the USPS “Informed Visibility” program designed to help mail senders with near real-time tracking data.
According to KrebsOnSecurity, “the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.”
“Many of the API’s features accepted ‘wildcard’ search parameters, meaning they could be made to return all records for a given data set without the need to search for specific terms. No special hacking tools were needed to pull this data, other than knowledge of how to view and modify data elements processed by a regular Web browser like Chrome or Firefox”, according to KrebsOnSecurity.
Nicholas Weaver, a researcher at the International Computer Science Institute and lecturer at UC Berkeley, said, “This is not even Information Security 101, this is Information Security 1, which is to implement access control. It seems like the only access control they had in place was that you were logged in at all. And if you can access other people’s data because they aren’t enforcing access controls on reading that data, it’s catastrophically bad and I’m willing to bet they’re not enforcing controls on writing to that data as well.”
Following this flaw, the USPS included a validation step to prevent unauthorized changes. If anyone tries to modify the email address associated with a user’s USPS account via the API, a confirmation message will be sent to the email address tied to that account.
KrebsOnSecurity states, “It does not appear USPS account passwords were exposed via this API, although KrebsOnSecurity conducted only a very brief and limited review of the API’s rather broad functionality before reporting the issue to the USPS. The API at issue resides here; a copy of the API prior to its modification on Nov. 20 by the USPS is available here as a text file.”
Robert Hansen, chief technology officer at Bit Discovery, a security firm in Austin, Texas, said, “This could easily be leveraged to build up mass targeted spam or spear phishing. It should have been protected via authentication and validated against the logged in user in question.”
In a statement shared with KrebsOnSecurity, the USPS said it currently has no information that this vulnerability was leveraged to exploit customer records, and that the information shared with the USPS allowed it to quickly mitigate the vulnerability.
Here’s the rest of their statement:
“Computer networks are constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information. Similar to other companies, the Postal Service’s Information Security program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity.”
“Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously. Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”
To know more about this news in detail, visit KrebsOnSecurity website.
Read Next
Final release for macOS Mojave is here with new features, security changes and a privacy flaw
