Millions of USPS users’ data leaked due to a security vulnerability

by Gabriel E. Hall - -

A security bug on usps.com site leads users to data exposure

Millions of USPS users' data leaked due to a security vulnerability

Yesterday, KrebsOnSecurity announced that he was contacted by a researcher who found a critical security vulnerability in the United States Postal Service (USPS) official site.[1] As a result, over 60 million usps.com customers got their sensitive details exposed. The USPS is a postal agency located in North America which is authorized by the United States Constitution (USC) and is responsible for postal operations.[2] 

The USPS vulnerability occurred due to an authentication weakness that was spotted in a programming service created as a tool that helps business customers track their mail. Also known as an application program interface or API which was named as Informed visibility, the vulnerability could allow the potential attacker to perform changes in all usps.com users' accounts. Furthermore, if an attacker managed to break into someone's account, he could steal various private details, including the following:[3]

  • usernames;
  • user IDS;
  • email addresses;
  • account codes;
  • residence addresses;
  • mobile phone numbers.

Moreover, while the API enables anyone to log into any user's account on the usps.com site, it turns out to be like a huge issue in this case:[4]

APIs are turning out to be a double-edged sword when it comes to internet scale B2B connectivity and security. APIs, when insecure, break down the very premise of uber connectivity they have helped establish.

USPS had been ignoring the problem for over a year

Sadly, the USPS had been ignoring this problem for over one year! The organization was aware of this issue for some time but did not take any actions to fix it until a researcher, who did not want to reveal the identity, contacted the Postal Service and reported about this vulnerability. This time, the company started taking care of the problem after 48 hours passed.

USPS has been trying to show some interest in the problem and is ready to take actions against those who have managed to misuse exposed details:

Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.

However, there was no particular news provided about the exposed data. A privacy advocate named Paul Bischoff has claimed that they do not know if some hacker has misused leaked details but we need to be realistic – the vulnerability was ignored for over one year so anything could have happened during that period.

Online safety is obligatory

Even though we cannot control anything on our own, we are still playing an important role in our internet security game. What every single computer user has to do is to take care of his/her online safety.

First, make sure that you provide as less personal details as possible in case of exposure. Do not register an account which you do not truly need as this way you will increase the risk of identity theft.

Moreover, you should always create strong passwords which contain letters, numbers, symbols, and are very hard to identify. Additionally, using two-factor authentication[5] will also strengthen your online account's safety.

About the author

Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References