THE UNITED STATES POSTAL SERVICE (USPS) has plugged an API flaw that exposed the personal data of 60 million customers.
As per Krebs on Security, which received a tip-off from an anonymous researcher, the glitch stemmed from an authentication weakness an API tied to USPS' 'Informed Visibility' programme, which is designed to help companies "make better business decisions by providing them with access to near real-time tracking data" about mail campaigns and packages.
The tool, however, also lets anyone logged in to USPS.com to search the system for account details belonging to any other users, including email address, account number, street address and phone number.
And thanks to the programme's "wildcard" search parameters, anyone logged in with a basic understanding of modifying parameters in the browser-based console could pull up reams of data on other users.
"Everything from usernames and account numbers to physical addresses and phone numbers was there for the taking," Krebs notes.
The anonymous researcher claims that he informed USPS about his findings more than a year ago, but never received a response from the firm. However, when the flaw was flagged by Krebs on Security, USPS "promptly" addressed the issue.
In a statement given to Engadget, USPS says that there's no evidence that the flaw was exploited.
"We currently have no information that this vulnerability was leveraged to exploit customer records. The information shared with the Postal Service allowed us to quickly mitigate this vulnerability," a spokesperson said.
"Computer networks are constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information. Similar to other companies, the Postal Service's Information Security program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity.
"Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously. Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law." µ
Wants to stop the apathy surrounding security breaches
Come on Barbie, let's go party... with Siri
Penguin joins Club, takes biscuit
The social network knows what you did Summer 2007