Governor Wolf: Pa. Seeks Recent Graduates to Help Transform State Government
CNB May 2013 Archives: Bellmawr Carnival rocks the weekend with band Stage 3

USPS Site Exposed Data on 60 Million Users

 

U.S. Postal Service (November 2018)just fixed a security weakness that allowed anyone who has an account at usps.com to view account details for some 60 million other users, and in some Screen Shot 2017-01-12 at 15.3.54
cases to modify account details on their behalf.

KrebsOnSecurity was contacted last week by a researcher who discovered the problem, but who asked to remain anonymous. The researcher said he informed the USPS about his finding more than a year ago yet never received a response. After confirming his findings, this author contacted the USPS, which promptly addressed the issue.

The problem stemmed from an authentication weakness in a USPS Web component known as an “application program interface,” or API — basically, a set of tools defining how various parts of an online application such as databases and Web pages should interact with one another.

The API in question was tied to a Postal Service initiative called “Informed Visibility,” which according to the USPS is designed to let businesses, advertisers and other bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages.

In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers, the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.


Full Article: Krebs on Security ###

Comments