The United States Postal Service (USPS) has recently addressed a significant security vulnerability that compromised the personal data of over 60 million customers. This breach allowed unauthorized access to sensitive information for anyone possessing a USPS.com account, raising serious concerns about data security and user privacy.
As an independent entity of the U.S. federal government, tasked with maintaining postal services across the nation, USPS is constitutionally recognized and has a critical role in the American infrastructure. The vulnerability stemmed from an authentication flaw in the application programming interface (API) of the USPS “Informed Visibility” program, which is intended to provide real-time mail tracking for businesses.
A cybersecurity researcher, who chose to remain anonymous, discovered that the API was incorrectly programmed to accept various wildcard search parameters. This flaw enabled logged-in users to query the system for detailed account information belonging to other customers. Consequently, sensitive data such as email addresses, usernames, account numbers, residential addresses, phone numbers, and mailing campaign information could have been extracted from a vast number of USPS customer accounts.
Setu Kulkarni, Vice President of Strategy and Business Development at WhiteHat Security, remarked on the double-edged nature of APIs in today’s digital landscape, highlighting that inadequate security measures can dismantle the connectivity that APIs are designed to enhance. He emphasized the necessity for organizations, especially in the public sector, to adopt a proactive approach to application security. Implementing rigorous security assessments and empowering developers to follow best practices is crucial for safeguarding consumer data across various digital platforms.
One point of concern is that the USPS appeared to disregard responsible vulnerability disclosure for over a year. The researcher reportedly alerted the organization to this issue last year, yet the data remained unprotected until a journalist intervened by contacting USPS on the researcher’s behalf. It was only then that USPS attended to the vulnerability, rectifying it within 48 hours.
While it remains uncertain if anyone exploited the vulnerability, the mere existence of such a flaw for an extended period raises alarming implications for user security. Paul Bischoff, a privacy advocate at Comparitech, stated that since the vulnerability remained active for a year, it is prudent to assume the worst-case scenario regarding potential exploitation.
In response to inquiries regarding the breach, USPS stated that they currently have no evidence suggesting that the vulnerability was used to access customer records. They have pledged further investigation to ensure that any potential unauthorized access is pursued to the fullest extent of the law.
The incident underscores the urgent need for rigorous cybersecurity practices within organizations that handle sensitive consumer information. By identifying the tactics associated with this breach, such as initial access and privilege escalation from the MITRE ATT&CK framework, it becomes evident that more stringent measures are required to protect user data and maintain public trust in digital services.
