Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

API Vulnerability Found on USPS Website Exposes Private User Data

DZone's Guide to

API Vulnerability Found on USPS Website Exposes Private User Data

The private information of Postal Service customers was wide open for more than a year.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

A little over a year ago, an anonymous researcher pointed out a vulnerability on the USPS website that allowed site visitors to see users' personal account info, including usernames and street addresses.

Now, a year later, this vulnerability is finally being addressed by USPS, who cites an authentication API weakness on their website as the reason user information was made accessible to anyone. The vulnerability went unaddressed by USPS until a recent article on KrebsOnSecurity

The authentication API on usps.com is part of the website's Informed Visibility feature. This feature is used to offer customer package and tracking information for companies. These companies look at customer data to make informed business decisions and send out mass mailings.

In a statement to Engadget, a USPS spokesperson addressed the vulnerability, saying, "We have no information that this vulnerability was leveraged to exploit customer records." They explained, "the information shared with the Postal Service allowed us to quickly mitigate this vulnerability."

This means that the known cause of the vulnerability has not been fully determined. Whether or not this was an engineering issue or criminal offense is unclear. In the meantime, USPS says that they will continue to investigate the vulnerability "to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law."

After the fix by USPS, users still showed distrust for the Informed Visibility feature, replying to KrebsOnSecurity's original post:

Image title

USPS concluded their statement to Engadget, saying, "Computer networks are constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information. Similar to other companies, the Postal Service's Information Security Program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity."

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
security ,cybersecurity ,news ,dzone news ,usps ,api ,vulnerabilities ,customer data ,tracking

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}