US Postal Service has patched a critical bug that allowed anyone who has an account at usps.com to view and modify account details for other users, some 60 million users were affected.
The news was first reported by the popular investigator Brian Krebs who was contacted by a researcher who discovered the issue.
The researchers, who asked to remain anonymous, reported the flaw to the USPS more than a year ago, but the company ignored him. After the public disclosure of the issue, USPS fixed the issue.
The problem resides in the USPS Informed Visibility API designed to to let businesses, advertisers and other bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages.
“In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers, the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.” reads the post on KrebsonSecurity blog.
“Many of the API’s features accepted “wildcard” search parameters, meaning they could be made to return all records for a given data set without the need to search for specific terms.”
The researcher discovered that using the API to search for one specific data element (i.e. an address) it was possible to retrieve multiple accounts that shared the data.
“For example, a search on the email addresses for readers who volunteered to help with this research turned up multiple accounts when those users had more than one user signed up at the same physical address.” continues Krebs.
“This is not good,” said one anonymous reader who volunteered to help with this research, after viewing a cut-and-paste of his USPS account details looked up via his email address. “Especially since we moved due to being threatened by a neighbor.”
USPS implemented a validation step to prevent unauthorized changes with some specific data fields.
When a user attempt to modify the email address associated with a specific USPS account via the API it is prompted a confirmation message sent to the email address tied to that account.
The good news is that it seems that API doesn’t expose USPS account passwords.
“The API at issue resides here; a copy of the API prior to its modification on Nov. 20 by the USPS is available here as a text file.” continues Krebs.
Such kind of flaws is very dangerous, spammers could abuse them to several malicious purposes, including phishing campaigns.
Krebs also pointed out that a vulnerability assessment of Informed Visibility was published in October 2018 by the USPS’s Office of Inspector General (OIG).
Auditors discovered several authentication and encryption flaws that evidently were underestimated.
“The USPS told the OIG it had addressed the authentication problems raised in the audit report, which appear to have been related to how data was encrypted in transit.”
(Security Affairs – Hacking, US Postal Service)