A security flaw discovered in a U.S. Postal Service platform may have exposed the data of more than 60 million customers.
The vulnerability, uncovered by an anonymous security researcher, was found within an API of the USPS’s Informed Visibility mail tracking, TechCrunch reported. The researcher found that he could access data by sending wildcard requests to the server.
Informed Visibility is an enterprise-level sister service to the USPS’s standard Informed Delivery mail tracking service, which allows customers to see mail before it arrives. But reportedly, the flaw impacted all usps.com users.
According to cybersecurity journalist Brian Krebs, that security vulnerability could have allowed anyone with a standard usps.com account to view — and even modify — the account details of other users.
That includes email addresses, usernames, user IDs, account numbers, street addresses, phone numbers, mailing campaign data, and other private or sensitive information.
While user passwords were likely not accessible via the breach, malicious entities could have harvested that data for targeted mass spam campaigns — or even sophisticated phishing and social engineering efforts.
The security flaw didn’t require any specialized tools to exploit, just “knowledge of how to view and modify data elements processed by a regular web browser,” Krebs wrote.
Never Heard a Response
Worryingly, the anonymous researcher who contacted Krebs said he discovered the flaw more than a year ago. When he contacted the USPS about the issue, he never received a response.
It was only after KrebsOnSecurity corroborated the findings, contacted the USPS and publicized the issue that the Postal Service patched the security vulnerability.
The USPS is now investigating whether the security vulnerability was used to access the data of its customers.
“Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law,” the USPS wrote in a statement to KrebsOnSecurity.
It’s worth noting that earlier in November, KrebsOnSecurity reported that the U.S. Secret Service was aware of identity thieves using Informed Delivery to aid in mail theft.
Essentially, those bad actors were leveraging the service to see what mail would arrive on which days — allowing them to steal important documents, checks and other mail.