A broken U.S. Postal Service API exposed more than 60 million users by allowing a researcher to pull millions of rows of data by sending wildcard requests to the server. The resulting security hole has been patched after repeated requests to the USPS.
The USPS service, called InformedDelivery, allows you to view your mail before it arrives at your home and offered an API to allow users to connect their mail to specialized services like CRMs. We profiled the service in 2017.
The anonymous researcher showed that the service accepted wildcards for many searches, allowing any user to see any other users on the site. Brian Krebs has a copy of the API’s code on his site.
The USPS told Krebs that it had investigated the data exposure and that:
Computer networks are constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information. Similar to other companies, the Postal Service’s Information Security program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity.
Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously. Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.
Krebs also reported that identity thieves are misusing the service to see what mail is arriving at users’ homes on which days, allowing them to grab important documents and checks at will. The API vulnerability has been patched, but there is no telling what other mishandled features will crop up in this powerful tool.