us post divulges 60 million user data

Posted by barello at 2020-03-23

USPS has fixed an important vulnerability that allows any user to view the details of about 60 million other users and, in some cases, modify their details.

Krebs on security contacted a researcher who discovered the problem last week, but asked for anonymity. The researcher said he informed the U.S. Postal Service of his findings more than a year ago, but never received a response. After confirming his discovery, the author contacted USPS, which immediately solved the loophole.

The flaw stems from the authentication problem in the USPS web component called the API interface - the main function is to define how parts of an application, such as databases and web pages, should interact.

The API is related to the postal service program called "informed visibility", which aims to make better business decisions by providing enterprises, advertisers and other bulk mail senders with nearly real-time tracking data of mail packages, according to USPS.

In addition to exposing nearly real-time data of parcels and mails sent by US postal commercial customers, the vulnerability also allows any logged in user to query the system for account details belonging to other users, such as email address, user name, user ID, account number, street address, telephone number, authorized user, activity data and other information of mailing.

Many features of the API accept "wildcards" as search parameters, which means that they can return all records of a specified dataset without specifying a specific statement for the search. In addition to knowing how to view and modify data elements on a regular web browser, such as chrome or Firefox, no special hacking tools are needed to get this data.

For a common dataset owned by multiple accounts (like a street address), using API search usually results in multiple records. For example, searching email addresses for readers who volunteered to help with the study found multiple accounts when they registered more than one user at the same physical address.

"It's bad," said an anonymous reader who volunteered to help with the study after checking the U.S. Postal Service's account information found by email address. "Especially after I was threatened by my neighbors and moved. "

Nicholas weaver, a researcher at the International Institute of computer science and a lecturer at the University of California, Berkeley, said the API should verify that requests to read data from any account are authorized.

"It doesn't even belong to information security 101, and implementing access control is information security 1," Weaver said. "It seems that the only access control that USPS does is when you log in. If you can access other people's data because the access control of USPS is not strict, it will be a disaster, and I bet they don't have permission control when writing data. "

Krebsonsecurity's cursory inspection shows that this confusing API allows any user to change information about other user accounts, such as email addresses, phone numbers, or other key details.

Fortunately, however, USPS seems to include a validation step to prevent illegal changes to some sensitive fields. When you attempt to modify the email address associated with a U.S. Postal account through the API, you will be prompted to send a secondary confirmation message to the email address associated with the account (this requires clicking the link in the email to complete the change step).

Although before reporting the problem to USPS, krebsonsecurity only made a very brief and limited check on a large number of functions of the API, it seems that the account password of USPS will not be disclosed through the API at present. A copy of the API prior to the November 20 modification of the API by USPS is provided in this link for reference only. (

Modifying the relevant data of users related to informed visibility may cause problems for major customers of USPS, such as Netflix and other companies that get lower discounts due to a large number of transactions. For example, the API allows any user to convert a regular account to an informed visibility business account and vice versa.

Robert Hansen, chief technology officer of bit discovery, a security company based in Austin, Texas, said spammers and email scammers could also be "greatly helped" by loopholes in the U.S. Postal Service.

In a joint statement with krebson security, USPS said there was no evidence that the vulnerability had been exploited, and information sharing with krebson security enabled them to quickly eliminate the vulnerability. The following are specific statements:

“计算机网络不断受到试图利用漏洞来非法获取信息的犯罪分子的攻击。与其他公司类似,邮政的所有服务都是使用业内最佳的信息安全流程和检查措施以持续监控我们的网络,杜绝可疑行为。” “任何犯罪分子试图利用我们网络潜在漏洞的痕迹都会被严肃对待。出于严谨,邮政部门正在进一步调查,以确保任何试图以不适当的方式访问我们的系统的人都将受到法律的追究。”

According to a vulnerability assessment report (PDF) issued by the office of the inspector general (OIG) of the U.S. Postal Service in October 2018, auditors found some authentication and encryption vulnerabilities in the service. But they seem to have overlooked this rather obvious security issue. USPS told OIG that they have resolved the authentication issues raised in the audit report, which appear to be related to how data is encrypted during transmission.

API vulnerability is the latest security vulnerability in the modernization of postal services. Informed visibility is a sister program of US postal informed delivery, which allows residents to view all scanned images of received mail. API vulnerabilities affect all users of, including 13 million informed delivery users.

As detailed in many of the stories here, informed delivery has struggled to achieve absolute security and prevent identity theft and system abuse.

Earlier this month, krebsonsecurity disclosed an internal memo from the U.S. secret service about identity theft caused by misuse of the informed delivery service, which eventually led to mail theft. According to the memo, there are cheaters in many states who have ordered a new credit card with the victim's name. Once the card is delivered, they pretend that the victim signs for it in the informed delivery, so that the thief knows when the new credit card will arrive in the mailbox.

Although it is usually very simple to fix information disclosure and authentication vulnerabilities, it is worth noting that many organizations are reluctant to invest resources to solve these problems. In September, the authors detailed how a company used by thousands of state and local governments to accept online payments leaked more than 14 million records.

In August, Krebs on security revealed similar vulnerabilities on hundreds of small bank websites operated by Fiserv. Fiserv is a company that mainly provides technical services for financial institutions.

In July, lifelock, an identity theft protection service, fixed a flaw in a letter disclosure vulnerability that exposed the email addresses of millions of users. In April 2018, closed a loophole by exposing millions of customer names, email and physical addresses, birthdays and some credit card numbers.