A security flaw in U.S. Postal Service’s website that went undetected for more than a year allowed any registered account holder to view account details of over 60 million other users, security researcher KrebsOnSecurity has revealed.
According to KrebsOnSecurity, an authentication weakness in an API on U.S. Postal Service’s website gave registered users access to much more data than originally intended, thereby putting personal data of millions of users at risk.
The said API was associated with a Postal Service initiative called “Informed Visibility” that was aimed at allowing registered users to access real-time data about packages and mail campaigns.
Flawed API ran unchecked for over a year
However, thanks to an authentication weakness in the API which was not detected by U.S. Postal Service, a registered user could view usernames, email addresses, user IDs, account numbers, addresses, phone numbers, and mailing campaign data of millions of other users.
“Many of the API’s features accepted “wildcard” search parameters, meaning they could be made to return all records for a given data set without the need to search for specific terms. No special hacking tools were needed to pull this data, other than knowledge of how to view and modify data elements processed by a regular Web browser like Chrome or Firefox.
“In cases where multiple accounts shared a common data element — such as a street address — using the API to search for one specific data element often brought up multiple records. For example, a search on the email addresses for readers who volunteered to help with this research turned up multiple accounts when those users had more than one user signed up at the same physical address,” wrote KrebsOnSecurity in a blog post.
Not only did the flawed API allow registered users to view personal data of others, it also allowed users to modify certain data fields of any other account such as phone number or other key details. Fortunately, changes made to certain data fields such as email addresses included a validation step to prevent unauthorised changes.
The said flaw was detected over a year ago by a security researcher who promptly informed the U.S. Postal Service about his findings but never received any response. However, when contacted by KrebsOnSecurity after the latter confirmed the researcher’s findings, U.S.P.C acted on the information and fixed the flawed API promptly.
“Computer networks are constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information. Similar to other companies, the Postal Service’s Information Security program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity.
“Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously. Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law,” the U.S. Postal Service said in a statement.
Vetting APIs for security flaws a must for firms
Commenting on the presence of a glaring security flaw in U.S. Postal Service’s website, Tim Mackey, senior technical evangelist at Synopsys, said: “With applications increasingly dependent upon third party APIs, this report highlights the risks organisations have without proper vetting of the services. Understanding the data transmitted to an API and a method to validate the sanity of the returned data should be part of the review process in all development and procurement teams.
“Armed with this information, API consumers can then monitor for any security disclosures associated with their API usage. When you consider the US Senate Commerce Committee is hearing briefs on a national data protection law similar to CCPA and GDPR, organisations should view tracking of API dependencies as a core strategy in reducing risks associated with potential data breaches,” he added.