USPS did not find proof of actors exploiting the issue

Nov 21, 2018 22:53 GMT  ·  By

After being contacted by Krebs On Security, the U.S. Postal Service (USPS) fixed a critical security issue that left the phone numbers and email addresses of more than 60 million users exposed to anyone with an account.

The security issue patched by the USPS that resided in an API authentication weakness would also allow potential malicious actors to also alter the account details of other users.

According to KrebsOnSecurity, "The API in question was tied to a Postal Service initiative called “Informed Visibility,” which according to the USPS is designed to let businesses, advertisers and other bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages."

Despite the severity of the issue found by the anonymous researcher who initially informed KrebsOnSecurity about the vulnerability found in USPS web app, the Postal Service said that no evidence was found of any third parties accessing and abusing the API bug.

Possible attackers with knowledge of the issue would have been able to effortlessly search for and list any USPS user's "email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data," and more.

The API access control security issue exposed near real-time user data

Because the security issue was tied to the USPS API, potential attackers would have been able to query and collect data using the API endpoints with the help of any web browser.

Furthermore, given that the bug also allowed logged in USPS users to query for data using wildcards and shared elements such as emails, adversaries would be able to quickly dig up information of users connected by a shared search element such addresses and emails.

"Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously," said the USPS in a statement sent to KrebsOnSecurity.

Moreover, "Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law."

Photo Gallery (2 Images)

USPA data breach
Some of the data exposed
Open gallery