US Postal Service Website Left Data Exposed for Over a Year
The United States Postal Service has fixed a security issue that had caused its website to expose data relating to over 60 million users for over a year. Brian Krebs wrote, on 21 November, on his website KrebsOnSecurity, “U.S. Postal Service just fixed a security weakness that allowed anyone who has an account at usps.com to view account details for some 60 million other users, and in some cases to modify account details on their behalf.”
An independent researcher, who chose to remain unnamed, had contacted KrebsOnSecurity a week ago and passed information about this issue, which he had detected over a year ago and which he had promptly notified the USPS. But there was no response and hence he contacted KrebsOnSecurity. Brian Krebs confirmed the findings and then contacted the USPS; the Postal Service addressed the issue promptly. The issue had stemmed from an authentication weakness that was there in an API on the USPS website. An API (Application Program Interface), which is a web component, is basically a set of tools that define how various parts of any online application, for example, web pages, databases etc, should interact with one another.
Brian Krebs writes, “The API in question was tied to a Postal Service initiative called “Informed Visibility,” which according to the USPS is designed to let businesses, advertisers and other bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages.”
Krebs explains how the API issue led to the data exposure- “In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers, the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.”
The API had many features that, according to Brian Krebs, accepted “wildcard” search parameters, thereby helping a user get from the API all records for a given data set without even searching for specific terms. He says, “No special hacking
tools were needed to pull this data, other than knowledge of how to view and modify data elements processed by a regular Web browser like Chrome or Firefox.”
The U.S. Postal Service is an independent agency of the American Federal government and is explicitly authorized by the United States Constitution.
KrebsOnSecurity reviewed the issue and found that the flawed API could allow any user to request changes for any other user; thus a user could change another user’s email address, phone number etc by exploiting this flaw.
Krebs notes, “Fortunately, the USPS appears to have included a validation step to prevent unauthorized changes — at least with some data fields. Attempts to modify the email address associated with my USPS account via the API prompted a confirmation message sent to the email address tied to that account (which required clicking a link in the email to complete the change).”
The inference, however, is that USPS account passwords were most likely not exposed via the flawed API.
Security experts state that to avoid such incidents from happening, government agencies and organizations should be proactive in their approach to application security. Security should be top on priority for any business or organization that deals with consumer data; all vulnerable elements, like APIs, mobile apps, websites, databases, network connections etc, must be monitored and subjected to strict security tests.