DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Data Engineering
  3. Data
  4. API Vulnerability Found on USPS Website Exposes Private User Data

API Vulnerability Found on USPS Website Exposes Private User Data

The private information of Postal Service customers was wide open for more than a year.

Lindsay Smith user avatar by
Lindsay Smith
·
Dec. 05, 18 · News
Like (1)
Save
Tweet
Share
3.98K Views

Join the DZone community and get the full member experience.

Join For Free

A little over a year ago, an anonymous researcher pointed out a vulnerability on the USPS website that allowed site visitors to see users' personal account info, including usernames and street addresses.

Now, a year later, this vulnerability is finally being addressed by USPS, who cites an authentication API weakness on their website as the reason user information was made accessible to anyone. The vulnerability went unaddressed by USPS until a recent article on KrebsOnSecurity. 

The authentication API on usps.com is part of the website's Informed Visibility feature. This feature is used to offer customer package and tracking information for companies. These companies look at customer data to make informed business decisions and send out mass mailings.

In a statement to Engadget, a USPS spokesperson addressed the vulnerability, saying, "We have no information that this vulnerability was leveraged to exploit customer records." They explained, "the information shared with the Postal Service allowed us to quickly mitigate this vulnerability."

This means that the known cause of the vulnerability has not been fully determined. Whether or not this was an engineering issue or criminal offense is unclear. In the meantime, USPS says that they will continue to investigate the vulnerability "to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law."

After the fix by USPS, users still showed distrust for the Informed Visibility feature, replying to KrebsOnSecurity's original post:

Image title

USPS concluded their statement to Engadget, saying, "Computer networks are constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information. Similar to other companies, the Postal Service's Information Security Program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity."

API Vulnerability Data (computing)

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • DevOps Roadmap for 2022
  • Why Does DevOps Recommend Shift-Left Testing Principles?
  • ChatGPT: The Unexpected API Test Automation Help
  • What Is Policy-as-Code? An Introduction to Open Policy Agent

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: