USPS website flaw exposed data for one year

The U.S. Postal Service fixed an authentication weakness in a website API that exposed data on millions of users for at least one year, despite being notified of the issue.

According to a report by infosec journalist Brian Krebs, the unnamed researcher discovered the USPS website flaw related to an API and disclosed the issue more than one year ago. However, it wasn't until Krebs contacted the Postal Service that the issue was acknowledged and fixed. The USPS website flaw stemmed from a service that allowed bulk mail senders to access real-time tracking data. But because of poor authentication, the issue affected all usps.com users. 

The Postal Service claimed in a statement to Krebs that the API vulnerability was not used to exploit user data, and an investigation is ongoing. But the USPS website flaw was found to allow any user logged in to usps.com to search the system for account details -- including email address, street address or phone number -- on any other user, without needing to know specific search terms. Additionally, the API allowed a user to request account changes for any other user.

Paul Bischoff, privacy advocate at Comparitech, based in the U.K., noted this is not the first security issue for Informed Visibility, the program to which the USPS website flaw was tied. So, it was likely already a target for hackers.

"APIs can be a very effective way for businesses to allow third parties to build useful tools and applications around that business's data, but they must be properly secured," Bischoff said. "While we're not sure whether anyone actually took advantage of the vulnerability, it did reportedly exist for a whole year, so we should assume the worst."

Mark Risher, head of account security at Google, said the exposed USPS information could be used in further attacks if it gets in the wrong hands.

"We've increasingly seen this type of leaked information -- email addresses, street addresses and phone numbers -- used to add credibility in targeted spear phishing messages," Risher said. "Identifying these messages can be quite tricky, so users are encouraged to use a mail client and web browser with robust anti-phishing warnings; the default app on your phone or laptop may not offer these protections."

Anthony James, vice president at CipherCloud, based in San Jose, Calif., said API-based attacks like that allowed by the USPS website flaw "are the reason that even database encryption is failing."

"If you can compromise the API, you can access and exfiltrate the encrypted data in the database. The best-practice solution is to now encrypt the data at the cloud edge," James said. "This means the data is encrypted from the time it goes into the cloud until the time it is retrieved. End-to-end encryption provides data protection when the data is in use, in transit and in the database."