US Postal Service Exposes 60 Million Users in API Snafu

Written by

The US Postal Service (USPS) is in the dock after an apparent API vulnerability exposed the account details of 60 million users of its online service.

The issue related to a service known as “Informed Visibility” which USPS offered to businesses, allowing them to access near real-time tracking data on packages. However, along with this data, the related API also allowed anyone logged in to USPS.com to query the account details of other users of the site and even modify some details.

These included email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and more, according to Brian Krebs.

It appears as if the developers forgot a key element of cybersecurity when designing the API: access controls.

USPS claimed in a statement that the incident has now been mitigated and that it has no information that it was used in any criminal endeavor.

“Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously,” it continued. “Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”

With APIs becoming increasingly popular, security concerns have started to emerge. An Imperva poll earlier this year claimed 69% of firms are exposing APIs to the public and their partners, managing 363 on average per organization.

Tim Mackey, senior technology evangelist at Synopsys, said organizations should view tracking of API dependencies as a core risk reduction strategy.

“Understanding the data transmitted to an API and a method to validate the sanity of the returned data should be part of the review process in all development and procurement teams,” he added. “Armed with this information, API consumers can then monitor for any security disclosures associated with their API usage.”

Bernard Harguindeguy, CTO of Ping Identity, added that the USPS snafu should be a wake-up call for developers.

“Effective API security starts with deep visibility into all API traffic, followed by strong authentication and data governance,” he argued. “Companies' crown jewels — their customers' data — are increasingly being made accessible via APIs, and protecting this infrastructure from vulnerabilities and cyber-attacks has to be the top priority for CISOs and CIOs everywhere."

What’s hot on Infosecurity Magazine?