A ruinous security flaw in Application program Interface of US Postal Services exposed personal data of over 60 million users over the course of 2017 & 2018.
This vulnerability on USPC’s website allowed anyone with an account at usps.com to view personal information & account details of other users. In some cases, this flaw even allowed users to modify the details in the affected accounts. The leaked information included user name, user ID, e-mail address, account number, street addresses & contact numbers of the users.
An anonymous researcher discovered this problem a year ago & informed US Postal Services data breach, however, USPC failed to pay heed to researcher’s warning at that time.
USPS patched this issue last week when a cyber security investigator, Krebs flagged it.
The root-cause of the vulnerability is hitched to an authentication weakness in the site’s Application program Interface- an array of tools that defines how different parts of an online application like Web Pages & Database should interact.
The API of US Postal Services involved in issue was tied to a Postal Service Initiative named as “Informed Visibility”. According to US Postal Services, it was designed to let advertisers, Bulk mail sending services & other businesses extend the frontiers of their profession by enabling them the access to near real-time tracking data.
Apart from exposing near real-time data about the mail campaigns & packages; the flaw enabled the logged in users access the accounts belonging to others & harvest their personal information. There are positives that compromised API would have let an attacker pull off anything from as many as 60 million USPS customer accounts.
The flaw compels to extract the very fact that the questioned Application program Interface of US Postal Services data breach was patterned to allow “Wildcard” search definitions without any restriction on the permissions.
The “Wildcard” search parameters were enough to pull the user’s data without his/her consent, with a mere knowledge of viewing & modifying data elements processed by browsers like Chrome or Firefox.
Wildcard Search Parameters served as an open-ended query that can let the users harvest all the data using a given set.
Application program Interfaces are turning out to be scathing tool when it comes to Business to Business connectivity & security.
In order to avoid similar data breach catastrophes in future, companies & government agencies should become pro-active in regards to the application security & make data security a consistent & top-of-mind concern.
Organizations must oblige to perform strictest tests against cyber attacks & vulnerable outlets such as APIs, mobile apps, websites, database & network connections. And firms that rely on digital manifestos must educate & empower the developers to use best security practices while coding.
The US postal Service patched the flaw last week & is now investigating to ensure that no one have inappropriate access to the user’s accounts & their sensitive information.And exposed 60 millions user us postal services data breach.
Subscribe to our newsletter today to receive updates on the Latest News and Threats.
The researchers at Virus Removal Guidelines are dedicated to track down the latest vulnerabilities which may infringe your system security. Our team of expert performs a detailed research about every malware infection before educating our users about the same.
Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.