US Postal Service fixed a year old vulnerability
The US Postal Service says it has fixed a security weakness on usps.com for sometime that let anyone see the personal account info of its users, including usernames and street addresses. The open vulnerability was reportedly identified over a year ago by an independent researcher but USPS never patched it until this week, when information security reporter Brian Krebs on Security flagged the issue after he received a tip from an anonymous security researcher. The USPS fixed the error within 48 hours after then.
The flaw exposed personal data for 60 million 'Informed Visibility' accounts.
“It was caused by an authentication weakness in the site’s application programming interface (API) that allowed anyone to access a USPS database offered to businesses and advertisers to track user data and packages. The API should have verified whether an account had permissions to read user data but USPS didn’t have such controls in place.”
Users were not simply exposed by sending and receiving mail, only becoming potentially compromised should they have conducted business on the site which required a user name. The user names were also exposed by the vulnerability, along with attending addresses. So if you have been one of the many users who have utilized USPS services online, hackers may have gathered some of your private information.
Users’ personal data including emails, phone numbers, mailing campaign data were all exposed to anyone who was logged into the site. Additionally, any user could request account changes for another user, so they could potentially change another account’s email address and phone number, although USPS does at least send a confirmation email to confirm the changes.
The United States Postal Service has recently been in the news due to another price increase on stamps and other delivery services. Those increases were the result of yet another year of financial woes, struggles which have left the USPS deeper in debt. It is reasonable to imagine that every aspect of the service is struggling, not just the information technology division.
The flaw exposed personal data for 60 million 'Informed Visibility' accounts.
“It was caused by an authentication weakness in the site’s application programming interface (API) that allowed anyone to access a USPS database offered to businesses and advertisers to track user data and packages. The API should have verified whether an account had permissions to read user data but USPS didn’t have such controls in place.”
Users were not simply exposed by sending and receiving mail, only becoming potentially compromised should they have conducted business on the site which required a user name. The user names were also exposed by the vulnerability, along with attending addresses. So if you have been one of the many users who have utilized USPS services online, hackers may have gathered some of your private information.
Users’ personal data including emails, phone numbers, mailing campaign data were all exposed to anyone who was logged into the site. Additionally, any user could request account changes for another user, so they could potentially change another account’s email address and phone number, although USPS does at least send a confirmation email to confirm the changes.
The United States Postal Service has recently been in the news due to another price increase on stamps and other delivery services. Those increases were the result of yet another year of financial woes, struggles which have left the USPS deeper in debt. It is reasonable to imagine that every aspect of the service is struggling, not just the information technology division.
from E Hacking News - Latest Hacker News and IT Security News https://ift.tt/2zqK56r