Flawed US Postal Service API exposes data on 60 million users

The fault allowed users to access any USPS account using basic Google Chrome features

A significant flaw has been discovered in the website of the US Postal Service which exposed near real-time data about packages sent by commercial customers and, in some cases, allowed users to change information belonging to other account holders.

USPS was informed of the security flaw over a year ago, according to the researcher who made the discovery. Upon receiving a message from the researcher detailing the issue, industry expert Brian Krebs alerted USPS once again, which prompted the organisation to issue a fix.

The fault lay in the site's application programming interface (API) which was tied to its 'Informed Visibility' service, a tool that provides real-time tracking data to businesses and advertisers. The flaw not only exposed this information online, it also allowed any user that was logged in to usps.com to search the site and gain access to account details belonging to any other USPS user, including email addresses and phone numbers.

Even more alarmingly, because the API accepted 'wildcard' parameters, multiple or all records for a given data set such as a home address could be revealed without having to search anything more specifically. All of this could be done without special hacking tools, just a simple understanding of how to use the 'inspect element' feature in Chrome would suffice, according to the researcher.

Krebs also discovered that once inside another user's account, account changes could be requested, such as name or email address changes. Fortunately, USPS validation checks require account owners to validate any such changes by clicking on an email link, and so any such attempts would have been flagged.

Nicholas Weaver, a researcher at the International Computer Science Institute and lecturer at UC Berkeley told Krebs "this is not even Information Security 101, this is Information Security 1, which is to implement access control. It seems like the only access control they had in place was that you were logged in at all. And if you can access other people's' data because they aren't enforcing access controls on reading that data, it's catastrophically bad."

Speaking to IT Pro, Rusty Carter, VP of product management at Arxan said: "While APIs serve a great purpose in enhancing the functionality of many sites, this is just the latest example of how they can allow unauthorised and unexpected access to data they should not be allowed to display or serve up to anyone who uses them.

"When building out APIs, organisations and developers need to assume that all the data and functionality inside the app can be made directly available as a tool to any attacker."

APIs are usually highly functional tools that can enhance a website's functionality; they allow different apps to exchange data and communicate with each other. For example, Google Maps allows developers to use Google's API to include location and mapping data instead of having to do it themselves.

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Most Popular

GitHub to prohibit code that’s used in active attacks
cyber security

GitHub to prohibit code that’s used in active attacks

7 Jun 2021
WWDC 2021: Apple unveils iOS 15, macOS Monterey and more
iOS

WWDC 2021: Apple unveils iOS 15, macOS Monterey and more

8 Jun 2021
OnePlus 9 Pro review: An instant cult classic
Hardware

OnePlus 9 Pro review: An instant cult classic

7 Jun 2021