USPS took a year to fix a vulnerability that exposed all 60 million users’ data

USPS took a year to fix a vulnerability that exposed all 60 million users’ data

6 years ago
Anonymous $L9wC17otzH

https://www.theverge.com/2018/11/22/18107945/usps-postal-service-data-vulnerability-security-patch-60-million-users

The US Postal Service says it’s fixed a security weakness on usps.com that let anyone see the personal account info of its users, including usernames and street addresses. The open vulnerability was reportedly identified over a year ago by an independent researcher but USPS never patched it until this week, when Krebs on Security flagged the issue.

The vulnerability included all 60 million user accounts on the website. It was caused by an authentication weakness in the site’s application programming interface (API) that allowed anyone to access a USPS database offered to businesses and advertisers to track user data and packages. The API should have verified whether an account had permissions to read user data but USPS didn’t have such controls in place.