U.S. postal service leaks data from 60 million customers due to problem with API

The USPS, the American postal service, has closed a vulnerability that made the data of about 60 million customers visible to everyone who was logged on to their website. That’s what Silicon Angle reports. The vulnerability was in an API that used the website.

The vulnerability was discovered by security researcher Brian Krebs. The error was related to an authentication vulnerability in an API called “Informed Visibility”. The API is designed to track and analyze the senders of large volumes of mail.

The service had to be available only to the senders, but the API allowed anyone logged into USPS.com to search the system for other users’ account details. These included e-mail addresses, usernames, account numbers, addresses and telephone numbers. The vulnerability also caused users to request changes to the accounts of other users, such as the e-mail address or the telephone number.

USPS managed to close the vulnerability before Krebs put the details online. In a statement, the company states that it has no information that vulnerability was abused to steal customer data. However, it does add that the postal operator is investigating the incident further to ensure that if someone tried to enter the system, they would be prosecuted.

APIs

Setu Kulkarni, vice president of strategy and business development at WhiteHat Security, states that the role of an API in vulnerability is worth mentioning. “APIs appear to be a sword that cuts both ways when it comes to B2B connections and security on the scale of the Internet. APIs break down, if they are unsafe, the whole idea of connectivity that they helped set up.”

To prevent such errors, government agencies and companies need to be proactive when it comes to application security, says Kulkarni. He calls it an obligation for every company that deals with consumer data to carry out the best security tests for vulnerable parts: APIs, network connections, mobile apps, websites and databases.