If you wanted to look up anyone with an account at U.S. Postal Service website, you could have for about 60 million other users, and even modified their account details.
The USPS Web component, API (application program interface), determines how various online applications should interact with one another. The problem was with a Postal Service initiative called Informed Visibility which is designed to let businesses, advertisers, and other bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages.
Along with this service, any logged-in user had the ability to view other users’ information such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data, and other information.
Informed Visibility was designed to help business customers track mail in real-time, but instead the API revealed the details of anyone who had an account with USPS.
“We currently have no information that this vulnerability was leveraged to exploit customer records. The information shared with the Postal Service allowed us to quickly mitigate this vulnerability,” says USPS. “The information shared with the Postal Service allowed us to quickly mitigate this vulnerability. Computer networks are constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information,” it continued. “Similar to other companies, the Postal Service’s Information Security program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity.”
A security researcher notified USPS about this vulnerability about a year ago and did not receive a response. Brian Krebs reported it to USPS and within 48 hours the security issue was patched and resolved.
Original Article Found Here.