API Vulnerability Found on USPS Website Exposes Private User Data

A little over a year ago, an anonymous researcher pointed out a vulnerability on the USPS website that allowed site visitors to see users' personal account info, including usernames and street addresses.

Now, a year later, this vulnerability is finally being addressed by USPS, who cites an authentication API weakness on their website as the reason user information was made accessible to anyone. The vulnerability went unaddressed by USPS until a recent article on KrebsOnSecurity. 

The authentication API on usps.com is part of the website's Informed Visibility feature. This feature is used to offer customer package and tracking information for companies. These companies look at customer data to make informed business decisions and send out mass mailings.

In a statement to Engadget, a USPS spokesperson addressed the vulnerability, saying, "We have no information that this vulnerability was leveraged to exploit customer records." They explained, "the information shared with the Postal Service allowed us to quickly mitigate this vulnerability."

This means that the known cause of the vulnerability has not been fully determined. Whether or not this was an engineering issue or criminal offense is unclear. In the meantime, USPS says that they will continue to investigate the vulnerability "to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law."

After the fix by USPS, users still showed distrust for the Informed Visibility feature, replying to KrebsOnSecurity's original post:

USPS concluded their statement to Engadget, saying, "Computer networks are constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information. Similar to other companies, the Postal Service's Information Security Program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity."