The United States Postal Service (USPS) has repaired a security breach that allowed anyone with an account on usps.com to view the account details of any of the 60 million people who subscribed to the service. In some cases, the failure even allowed changes to those accounts to be made. In a blog post, security specialist Brian Krebs said he was recently contacted by an investigator who warned him that he had contacted USPS in the past. Ao reporting this problem. Upon receiving no response, the investigator contacted Krebs, who addressed the problem directly with USPS, now informing the postal service that has solved the error.
When asked why, apparently, it took a year to deal with the problem, a USPS spokesman denied the company's responsibility, saying that they have not been able to verify that this contact actually took place. Krebs explained that the error is related to an authentication vulnerability in the usps.com API linked to a USPS service called "Informed Visibility," which gives businesses, advertisers and other bulk mail senders access to tracking data almost Real-time related to your mail campaigns. and shipping packages.
In addition to exposing almost real-time data on packages and mail sent by USPS commercial customers, Krebs explained that the vulnerability allows any registered user of usps.com to search the system for account details of any other user, such as email, username, user ID, account number, address, phone number, authorized users, email campaign data and more details.
The worst part is that changes could be made to that data, although Krebs noted that for some data fields, two-step verification prevented any alteration from occurring.
Highlighting the severity of this failure, security researcher Krebs said that “no special hacking tools were needed to extract this information, apart from the knowledge of how to view and modify the data elements processed by a normal web browser such as Chrome or Firefox” .
USPS, for its part, has explained that it takes very seriously any attempt to access the data of its customers and is investigating what happened and argues that the weight of the law on which possible violators fall. At the moment they explain that there is no evidence to suggest that customer records have been exploited in any way.