US Postal Service website vulnerability leaked 60 million user data

The US Postal Service has just fixed a severe website vulnerability that allows anyone with a usps.com account to view and modify account details for approximately 60 million users. According to Kerbs on Security, the vulnerability was first discovered by an independent security researcher a year ago. The researcher then informed the US Postal Service but never received any response until last week when Krebs contacted the US Postal Service on behalf of the researcher.

The vulnerability stems from the authentication API in the USPS Web component. According to the USPS, the “Informed Visibility,” which according to the USPS is designed to let businesses, advertisers and other bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages.”

In addition to the real-time data of parcels and emails sent by USPS commercial customers, this vulnerability allows any user logging into usps.com to query the system for other users’ account details, such as email address, username, ID, account number, street address, phone number, authorized user, mailing activity data, and other information.

API-related features support “wildcard” search parameters, which means they can return all records for a given data set without having to search for specific terms. In addition to the need to understand how to view and modify data elements processed by regular web browsers such as Chrome or Firefox, no special hacking tools are needed to extract this data.

If multiple accounts share a common data element (such as a street address), searching using the API will display multiple records, so that other users’ information can be viewed, modified, and the like.