In the aftermath of Black Friday and Cyber Monday, the US Postal Service has admitted it suffered a major security breach, exposing the private details of over 60 million users. This equates to almost one-fifth of the US population. This comes after Amazon admitted hackers had managed to illegitimately obtain user names and emails in the runup to the shopping holiday.
According to Krebs on Security, the postal service had a broken API within their tracker service, called Informed Visibility. This malfunction in the API allowed any user to see another user’s details, as well as providing near real-time data about packages and mail being sent by USPS commercial customers. In the worst-case scenario, the attacker could even modify account details of other users.
The issue has been around for quite some time; as Krebs revealed in his article that the person who approached him about the issue said they had first come across it over a year ago. The person contacted USPS about their finding straight away yet never received a response. When Krebs contacted USPS however, they promptly took care of the issue.
What’s particularly scary, however, is that there were no special hacking tools needed to execute something like this. All one needed was knowledge of how to view and modify data elements processed by any popular web browser, such as Chrome or Firefox.
The issue appears to stem from the fact that USPS implemented no access control in their API. In essence, if a user requested to view someone else’s details, the API never checked that the person had permission to view said person’s details. In fact, the only check that the API performed was to see if a user was logged in.
Mercifully, it doesn’t appear that account passwords could have been exposed by this API, though the investigation that Krebs conducted was brief, so it’s possible that they could have been, had a little more digging been involved.