The United States Postal Service (USPS) has fixed its broken API that had exposed the account details of 60 million users who had signed up for the service “Informed Delivery”.
Informed Delivery is a new service that USPS is providing through which people can see scanned pictures of all their incoming mails. The images are sent before the mail is actually delivered by the company. People can keep a track of their mails and find out beforehand whether any important mail is due to arrive today or not.
The security flaw allowed anyone having an account at Usps to view the details of the other registered users of the service and even change the details of those users.
The flaw was first exposed by a researcher last year when he able to extract data of the users by sending requests to the server. The researcher tried to contact USPS multiple times in order to tell them about the security flaw, but all in vain. The researcher showed that when you sent wildcards to the servers, it accepted the majority of them allowing others to see the details of the account holders.
Security specialist Brian Krebs said that any logged-in user of USPS was able to search out for account details of other users of USPS. Account details such as account number, username, email address, user ID, phone number, mailing campaign data, address, and other information were easily accessible. However, changes in the data could not be made to some of the fields as there was a validation step linked to those fields to change the data.
According to Krebs, there was a huge security flaw from USPS as there was no real hacking expertise that was required to get access to the data. Anyone having the basic knowledge to view and modify the elements using a browser would be able to access the account details. USPS stated that they have till now received no evidence that suggests that there has been any exploitation of any account details of its users.