[ad_1]
A damaged US mail service API exposed more than 60 million users by allowing a searcher to extract millions of rows of data by sending generic queries to the server. The resulting security vulnerability has been corrected after several requests to USPS.
The USPS service, called InformedDelivery, allows you to view your mail before it arrives at your home and offers an API allowing users to connect their mail to specialized services such as CRM. We described the service in 2017.
The anonymous researcher has shown that the service accepts wildcards for many searches, allowing any user to see other users of the site. Brian Krebs copy of the API code on his site.
The USPS informed Krebs that he had investigated the data exposure and that:
Computer networks are constantly being attacked by criminals who attempt to exploit vulnerabilities to obtain information illegally. Similar to other companies, the postal information security program and the inspection service use industry best practices to continuously monitor suspicious activity in our network.
Any information suggesting that criminals have attempted to exploit the potential vulnerabilities of our network is taken very seriously. As a precaution, the postal service is continuing its investigation to ensure that anyone who may have tried to access our systems inappropriately is prosecuted within the limits of the law.
Krebs also reported that identity thieves abuse the service to see what messages arrive at home during which day, allowing them to acquire important documents and checks at will. The vulnerability of the API has been corrected, but nothing helps to know what other mismanaged features will appear in this powerful tool.
Source link
