Flawed US Postal Service API exposes data on 60 million users

A significant flaw has been discovered in the website of the US Postal Service which exposed near real-time data about packages sent by commercial customers and, in some cases, allowed users to change information belonging to other account holders.

USPS was informed of the security flaw over a year ago, according to the researcher who made the discovery. Upon receiving a message from the researcher detailing the issue, industry expert Brian Krebs alerted USPS once again, which prompted the organisation to issue a fix.

The fault lay in the site's application programming interface (API) which was tied to its 'Informed Visibility' service, a tool that provides real-time tracking data to businesses and advertisers. The flaw not only exposed this information online, it also allowed any user that was logged in to usps.com to search the site and gain access to account details belonging to any other USPS user, including email addresses and phone numbers.

Even more alarmingly, because the API accepted 'wildcard' parameters, multiple or all records for a given data set such as a home address could be revealed without having to search anything more specifically. All of this could be done without special hacking tools, just a simple understanding of how to use the 'inspect element' feature in Chrome would suffice, according to the researcher.

Krebs also discovered that once inside another user's account, account changes could be requested, such as name or email address changes. Fortunately, USPS validation checks require account owners to validate any such changes by clicking on an email link, and so any such attempts would have been flagged.

Nicholas Weaver, a researcher at the International Computer Science Institute and lecturer at UC Berkeley told Krebs "this is not even Information Security 101, this is Information Security 1, which is to implement access control. It seems like the only access control they had in place was that you were logged in at all. And if you can access other people's' data because they aren't enforcing access controls on reading that data, it's catastrophically bad."

Speaking to IT Pro, Rusty Carter, VP of product management at Arxan said: "While APIs serve a great purpose in enhancing the functionality of many sites, this is just the latest example of how they can allow unauthorised and unexpected access to data they should not be allowed to display or serve up to anyone who uses them.

"When building out APIs, organisations and developers need to assume that all the data and functionality inside the app can be made directly available as a tool to any attacker."

APIs are usually highly functional tools that can enhance a website's functionality; they allow different apps to exchange data and communicate with each other. For example, Google Maps allows developers to use Google's API to include location and mapping data instead of having to do it themselves.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.