USPS Fixed Vulnerability That Exposed The Data of 60 Million People
David Goldman/AP File Photo
Just in time for the mail deluge of the holidays.
The U.S. Postal Service has recently fixed a major vulnerability on its website that allowed anyone with a USPS.com account to view the personal details of the other 60 million site users, according to KrebsOnSecurity.
In some instances, some users could even potentially modify another person's account details. And these aren't minor details either, the information includes personally identifiable information such as email addresses, phone numbers, physical street addresses and real-time data on package delivery.
KrebsOnSecurity was the first to report the news of the breach and its subsequent fix on Nov. 21 after a tip from an anonymous researcher. Krebs informed USPS of the vulnerability, which prompted the agency to make the necessary fixes.
“We currently have no information that this vulnerability was leveraged to exploit customer records. The information shared with the Postal Service allowed us to quickly mitigate this vulnerability,” a Postal Service spokesman told Nextgov. “Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously. Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”
The issue specifically was an authentication weakness in an API tied to the Postal Service's Informed Visibility program. Pulling the data didn't require special hacking knowledge or tools, just a web browser.
“This is not even Information Security 101, this is Information Security 1, which is to implement access control," said Nicholas Weaver, a researcher at the International Computer Science Institute, to Krebs.
This isn't the only privacy troubles the Postal Service has faced recently. A flaw in the agency's Informed Delivery service that easily exposed customers to fraud was made public earlier in November.
Editor's note: This article was updated with a statement from the U.S. Postal Service.