- A critical flaw in US Postal Service exposed account details of 60 million users
- The flaw allowed anyone to view and modify account details of other users.
- The flaw was disclosed by researcher Brian Krebs who was contacted by another researcher whose name was not disclosed.
- The flaw was fixed by USPS.
Researcher has discovered a critical flaw in the US Postal Service (USPS) which exposes account details of 60 million users.
The flaw allows anyone who has an account in usps.com to view and change account details of other users.
The flaw was disclosed by researcher Brian Krebs and said that flaw was discovered by another researcher who wants to remain anonymous.
The researcher who discovered the flaw contacted USPS more than a year ago and did not receive any response from the company. The flaw was fixed by USPS after the public disclosure of the vulnerability.
The flaw was because of the authentication weakness in the USPS Web component known as an application program interface or API.
“The API in question was tied to a Postal Service initiative called “Informed Visibility, which according to the USPS is designed to let businesses, advertisers and other bulk mail senders make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages.”
The flaw exposes real-time data about packages and emails sent by USPS commercial customers.
flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.
The flaw allows any logged in user to request account details of other users such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and others.
The researcher confirmed the USPS user accounts were not exposed via this API.
“Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously. Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.” said in the statement given by USPS to KrebsOnSecurity.
USPS also said they are currently investigating the issue and till now they did not find any evidence of misuse of data.
You may be interested in reading:Cathay Pacific Airline Announces Data Breach Affecting 9.4 million Passengers