The United States Postal Service confirmed recently that they have patched an API issue which exposed the account details for up to 60 million users. Additionally, in some cases, the vulnerability could have allowed hackers to modify other users’ account details.
KrebsOnSecurity, who first reported the issue, was notified of the problem by a security researcher who claims to have notified USPS of the problem over a year ago. The unidentified security researcher says they never received a response from the USPS, which led them to contacting KrebsOnSecurity, who after verifying the issue, reached out to the USPS on their behalf. The problem was then promptly fixed.
The API responsible for exposing this data was a part of the USPS Informed Visibility Initiative, which was designed to allow companies that bulk send mail to more easily access real-time tracking data. The initial reporting on the issue claims that the API displayed almost zero effort to secure user data. After logging in, users were able to simply modify search parameters to access massive amounts of vulnerable user data.
In addition to real-time shipping data, the issue also exposed email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information. Representatives from the USPS told Engadget that they have no reason to believe that the API was ever used to maliciously access user data.