This week it was revealed that the United States Postal Service (USPS) had a vulnerability in their systems that exposed more than 60 million customers information to anyone with a USPS website account.
The vulnerability was present in the application programming interface (API). The API was set up in such a way that you could search using wildcard parameters. This meant anyone logged into to usps.com could search the system to find account details of all other users.
It would have been possible to pull personally identifiable information such as usernames, email addresses, user ID numbers, account numbers, street addresses, phone numbers, mailing campaign data and other authorized users on the account. It was even possible for users to request changes on other users accounts, like phone numbers and email addresses as well as other information.
The researcher who discovered the flaw wants to remain anonymous. He said he contacted USPS about the vulnerability a year ago, but they ignored it, leaving millions of user’s data exposed. Last week a journalist contacted the postal service on behalf of the researcher, and this time USPS has responded. After the information was reiterated by the journalist (Brian Krebs) , they managed to fix the issue in 48 hours.
There have been no reports of the vulnerability being exploited, but it’s entirely possible that it was since it was left for a year. USPS has launched an investigation into the vulnerability to determine if the vulnerability was exploited.
This revelation once again highlights the importance of protecting user data in a world that demands you play the game and submit your data to companies in order to use their services. The public is becoming increasingly concerned with data protection and incidents like these only fuels the fight for tighter laws and increased responsibility of the companies housing our data.