USPS took a year to address a vulnerability that exposed 60 million data users

The US Postal Service claims to have corrected a security breach on usps.com allowing anyone to view the personal account information of its users, including user names and civic addresses. An independent researcher would have identified the vulnerability opened more than a year ago, but USPS has never corrected it until this week, when Krebs on Security reported the problem.

The vulnerability included all 60 million user accounts on the website. This was due to a weak authentication in the site's application programming interface (API), which allowed anyone to access a USPS database available to businesses and organizations. advertisers to track user data and packages. The API should have checked if an account had the necessary permissions to read the user data, but USPS did not have such controls.

Users' personal data, including e-mails, phone numbers and direct mail campaign data, have all been exposed to anyone connected to the site. In addition, any user can request account changes for another user. As a result, he can potentially change the email address and phone number of another account, although USPS sends at least one confirmation email to confirm the changes.

Since street addresses are searchable in the database, any logged-in user can see who lives in each home and even get data from multiple people in the same household. Krebs notes that because of the vulnerability, "no special hacking tool was needed to extract this data."

USPS said in a statement to Krebs: "Any information suggesting that criminals have attempted to exploit the potential vulnerabilities of our network is taken very seriously. As a precaution, the postal service is continuing its investigation to ensure that anyone who could have sought to access our systems inappropriately is within the limits of the law. "A recent audit of her system in October did not reveal vulnerability, although she found many other weaknesses." We inquired as to whether USPS was aware of the problem when it was reported there. More than a year ago, no known exploit has been made through this vulnerability.

In its ongoing efforts to modernize and adapt to the digital age, USPS has faced many cybersecurity challenges. In 2014, hacking affected 800,000 USPS employees and 2.9 million customer service request records.