A security vulnerability in the United States Postal Service (USPS) exposed more than 60 million customers’ personal information to all the users who have an account with the USPS.com. The USPS is an independent mail service agency in the United States and authorized by the United States Constitution.
However, the mail service provider patched the vulnerability recently after Brian Krebs, an investigating reporter, flagged the issue. The security flaw was first identified by an independent researcher a year ago, but USPS never patched it until this week, Krebs stated in his blog KrebsonSecurity.
Krebs stated that he was contacted by an anonymous researcher, who discovered the problem, and said he informed the USPS about his finding a year ago but never received a response. After confirming the research findings, Krebs contacted the USPS officials to report the problem.
The research findings revealed an authentication weakness in the USPS website’s API (Application Program Interface) that lets any usps.com user access other users’ information such as email address, username, user ID, account number, street address, phone number, authorized users, and mailing campaign data.
In a statement shared with KrebsOnSecurity, the USPS stated the information shared by Krebs helped them to immediately mitigate the issue. “Computer networks are constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information. Similar to other companies, the Postal Service’s Information Security program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity,” the UPSC added. “Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously. Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”