U.S. Postal Service just fixed a security flaw that allowed anyone who has an account at usps.com to view account details for some 60 million other users. They could even modify the account details on their behalf! The problem arose out of a security weakness in the API. The API accepted “wildcard” search parameters. This API was tied to a Postal Service initiative called “Informed Visibility,” which was designed to let businesses, advertisers and other bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages. So, the real time data about packages and mail being sent by USPS commercial customers was being exposed. Also, any logged-in user could query the system for account details belonging to other users, such as their email addresses, usernames, account number, street address, phone number, etc.
Another fact that alarmed me was that the flaw was discovered and reported to the USPS over a year ago, but they never acted on it until now.
https://krebsonsecurity.com/2018/11/usps-site-exposed-data-on-60-million-users/
Hi Satwika,
This is very surprising information to find regarding USPS who handles such a high volume of PII data.