INSUBCONTINENT EXCLUSIVE:
A broken US Postal Service API exposed from over 60 million users and allowed a researcher to pull millions of rows of data by sending
wildcard requests to the server
The resulting security hole has been patched after repeated requests to the USPS.
The USPS service, called InformedDelivery, allows you to
view your mail before it arrives at your home and offered an API to allow users to connect their mail to specialized services like CRMs
We profiled in the service in 2017.
The anonymous researcher showed that the service accepted wildcards for many searches, allowing any user
to see any other users on the site
Brian Krebs has a copy of the API on his site.
The USPS told Krebs that it had investigated the hack and that:
&Computer networks are
constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information
Similar to other companies, the Postal Service Information Security program and the Inspection Service uses industry best practices to
constantly monitor our network for suspicious activity.&
&Any information suggesting criminals have tried to exploit potential
vulnerabilities in our network is taken very seriously
Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems
inappropriately is pursued to the fullest extent of the law.&
Krebs also reported that identity thieves are misusing the service to see what
mail is arriving at users homes on which days, allowing them to grab important documents and checks at will
The API hole is currently patched but there is no telling what other mishandled features will crop up in this powerful tool.
