US Postal Service Plugs API Flaw - One Year LaterFlaw Exposed Personal Data for 60 Million 'Informed Visibility' Accounts
A vulnerability in a U.S. Postal Service application for tracking mail in real time would have allowed anyone logged into the service to view personal data for as many as 60 million accounts.
USPS fixed the error within 48 hours, according to information security blogger Brian Krebs, who alerted the organization after he received a tip from an anonymous security researcher.
Krebs reports, however, that his source told USPS of the problem more than a year ago. The issue wasn't fixed then, and USPS apparently never responded to the researcher.
"We currently have no information that this vulnerability was leveraged to exploit customer records. The information shared with the Postal Service allowed us to quickly mitigate this vulnerability."
In a statement, USPS says the incident is under investigation and that it doesn't believe others took advantage of the problem.
"We currently have no information that this vulnerability was leveraged to exploit customer records," USPS says. "The information shared with the Postal Service allowed us to quickly mitigate this vulnerability.
"Computer networks are constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information," it continued. "Similar to other companies, the Postal Service's Information Security program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity."
Colin Bastable, CEO of Lucy Security, says that USPS's "inexcusable delay in rectifying the problem has exposed millions to the risk of cybercrime. The USPS breach is yet another example of the dreadful risks that American consumers take every day, simply by going about their daily business online."
Full Query Access
The apparent source of the issue was an authentication-related vulnerability within an application programming interface, or API, for USPS's Informed Visibility service, which provides tracking updates for letters, flat mail, bundles and containers for business customers.
Krebs writes that the vulnerability allowed anyone with an account to query the database behind it. The API also accepted wildcard parameters, which meant that all records for a particular data set would be returned without the need for precise search terms, he writes.
The problem at USPS is just the latest example of developers having failed to properly limit access to an API, says Rusty Carter, vice president of product management with the application security company Arxan.
Without proper access controls, "developers need to assume that all the data and functionality inside the app can be made directly available as a tool to any attacker," Carter says.
Krebs writes that searching for an email address, for example, could return account information for not only one user, but any other accounts that were also registered at the same postal address.
The personal data in the Informed Visibility accounts can include email addresses, usernames, user IDs, account numbers, street addresses, phone numbers, authorized users and mailing campaign data, Krebs writes.
Krebs reports that it appeared before the issue was fixed that someone could change personal information for another user. He tried to modify the email address for his account. Fortunately, USPS sends a confirmation email that requires a user to click a link to confirm a change.
Disclosure Issues, Once Again
The fact that USPS apparently didn't heed the advice of the security researcher is particularly worrisome, but far from unheard of. It's unclear why companies and organizations either ignore or fail to take seriously tips from anonymous researchers.
And that's a source of endless frustration in the security community. Even well-known security pros who disclose issues have been ignored, which has caused some to tweet or publicize their findings in the hope that some resulting embarrassment will trigger action.
A security researcher informed USPS of the vuln a year ago, but they never responded. @briankrebs reaches out and they fix it in under 48 hours.— Jeremiah Grossman (@jeremiahg) November 21, 2018
Idea: Start disclosing vulns as a 'journalist' instead of a 'security researcher' and let's see what happens. https://t.co/MRGuizSWSR
Researchers often take their findings to the news media if they don't get a response from an organization they've alerted. Queries to press offices often appear to get prioritized, potentially over fears that they will spark negative news stories.
Jeremiah Grossman, CEO of Bit Discovery, humorously tweeted that security professionals should consider classifying themselves as journalists when approaching organizations. "Idea: Start disclosing vulns as a 'journalist' instead of a 'security researcher' and let's see what happens," Grossman tweeted.