API vulnerability: Wild card to win USPS customer data
The US Postal Service launched its Informed Visibility program last year to provide better insight into their mailstream service. For example, one can obtain near real-time notifications about delivery dates and identify trends. However, they have made much more data available than intended, at least 60 million customers were exposed to anyone who is registered on http://www.usps.com. To make things more unnerving, a researcher had reported this vulnerability long before, but nobody didn’t care to patch it until November 2018.
The USPS website has an API that is tied to this service, and several endpoints accepted search parameters containing wildcards. Wildcards are special characters functioning as placeholders. When processed, they are matched against strings based on a specific set of rules. In this case, this meant that you didn’t need to possess any personal data about the customers to look them up, you could simply get information about anybody. Moreover, the API didn’t even bother to check if the user had an adequate privilege level to initiate such actions. To abuse this vulnerability, all you needed was an account and a modern web browser, where you could modify data elements in a specific way before posting your request.
Attackers could have queried for usernames and IDs, e-mail addresses, account numbers, street addresses, phone numbers, and other private information. Because of this API vulnerability, it was also possible to request account changes on another user’s behalf. They also had a service called Informed Delivery, where it was possible to monitor an individual’s mailing address without their consent. Identity thieves abused this by impersonating individuals when applying for credit cards, then USPS notified them about the exact date of delivery, so they could steal the credit cards immediately when they arrived from the mailboxes.
This breach shouldn’t have happened because the problem was so trivial. It is important to focus on the most probable attack vectors but you also have to think about overall security. It is similar to a house of cards, every little mistake increases the chance of destroying everything.
Learn from others’ mistakes
You can try to solve a similar challenge on our platform to have a deeper understanding of this issue and how to avoid it in your own projects. A C++ backend is running in this environment which accepts glob patterns and it is waiting for you to hack it.
Share this post on social media!
Learn about Insecure Direct Object Reference and the steps you can take as a developer to make sure your applications are safeguarded against cyberattacks.
Having the right security mindset is important, so we asked an expert about learning security and building security awareness!
Authentication and authorization both can be associated with common security vulnerabilities. Here are some ways to prevent them!