US Postal Services
News | 11/27/2018

Flawed API of US Postal Services Exposed 60 Million Users Data

About: A ruinous cyber security flaw in Application program Interface of US Postal Services led to the leakage of personal & account information of over 60 million users. USPS patched the issue last week after it was flagged by KrebsOnSecurity. US postal Se...  Read More  

| News | Flawed API of US Postal Services Exposed 60 Million Users Data

A ruinous security flaw in Application program Interface of US Postal Services exposed personal data of over 60 million users over the course of 2017 & 2018.

 

This vulnerability on USPC’s website allowed anyone with an account at usps.com to view personal information & account details of other users. In some cases, this flaw even allowed users to modify the details in the affected accounts. The leaked information included user name, user ID, e-mail address, account number, street addresses & contact numbers of the users.

 

An anonymous researcher discovered this problem a year ago & informed US Postal Services data breach, however, USPC failed to pay heed to researcher’s warning at that time.

 

USPS patched this issue last week when a cyber security investigator, Krebs flagged it.

Insight into the API Defect

The root-cause of the vulnerability is hitched to an authentication weakness in the site’s Application program Interface- an array of tools that defines how different parts of an online application like Web Pages & Database should interact.

 

The API of US Postal Services involved in issue was tied to a Postal Service Initiative named as “Informed Visibility”. According to US Postal Services, it was designed to let advertisers, Bulk mail sending services & other businesses extend the frontiers of their profession by enabling them the access to near real-time tracking data.

US Postal Services Temp1

 

Apart from exposing near real-time data about the mail campaigns & packages; the flaw enabled the logged in users access the accounts belonging to others & harvest their personal information. There are positives that compromised API would have let an attacker pull off anything from as many as 60 million USPS customer accounts.

 

The flaw compels to extract the very fact that the questioned Application program Interface of US Postal Services  data breach was patterned to allow “Wildcard” search definitions without any restriction on the permissions.

 

The “Wildcard” search parameters were enough to pull the user’s data without his/her consent, with a mere knowledge of viewing & modifying data elements processed by browsers like Chrome or Firefox.

 

Wildcard Search Parameters served as an open-ended query that can let the users harvest all the data using a given set.

Conclusion

Application program Interfaces are turning out to be scathing tool when it comes to Business to Business connectivity & security.

 

In order to avoid similar data breach catastrophes in future, companies & government agencies should become pro-active in regards to the application security & make data security a consistent & top-of-mind concern.

 

Organizations must oblige to perform strictest tests against cyber attacks & vulnerable outlets such as APIs, mobile apps, websites, database & network connections. And firms that rely on digital manifestos must educate & empower the developers to use best security practices while coding.

 

The US postal Service patched the flaw last week & is now investigating to ensure that no one have inappropriate access to the user’s accounts & their sensitive information.And exposed 60 millions user us postal services data breach.

Hits: 155

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Jaipur
Rajasthan 302033
Phone: +91 9799661866