The U.S. Postal Service has patched a security vulnerability that exposed the data of some 60 million customers to anyone who was logged into the USPS.com website.
Made public Sunday by security researcher Brian Krebs, the vulnerability related to an authentication weakness in an application programming interface being used on the USPS website.
The API in question, ironically called “Informed Visibility,” had been designed to allow bulk mail senders track and analyze mail. Instead of restricting services to bulk mail senders alone, the API allowed anyone logged in to USPS.com to query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users and mailing campaign data.
Worse still, the vulnerability also let any user request account changes for any other user, such as email address, phone number or other key details.
After being informed, USPS patched the vulnerability before Krebs published the details. In a statement, the USPS said that it has “no information that the vulnerability was leveraged to exploit customer records.” But it added that “out of an abundance of caution, for which the larger postal service is as of now researching and investigating further to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”
The role of an API in the vulnerability is notable, Setu Kulkarni, vice president of strategy and business development at WhiteHat Security Inc., told in a report. “APIs are turning out to be a double-edged sword when it comes to internet scale B2B connectivity and security,” he said. “APIs, when insecure, break down the very premise of uber connectivity they have helped establish.”
To avoid such flaws, he said, government agencies and companies must be proactive, not just reactive, in regards to application security. “Every business that handles consumer data needs to make security a consistent, top-of-mind concern with an obligation to perform the strictest security tests against vulnerable avenues: APIs, network connections, mobile apps, websites and databases,” he said.
Kulkarni added that “organizations that rely on digital platforms need to educate and empower developers to code using security best practices throughout the entire software lifecycle with proper security training and certifications.”