The vulnerability

The USPS website has an API that is tied to this service, and several endpoints accepted search parameters containing wildcards. Wildcards are special characters functioning as placeholders. When processed, they are matched against strings based on a specific set of rules. In this case, this meant that you didn’t need to possess any personal data about the customers to look them up, you could simply get information about anybody. Moreover, the API didn’t even bother to check if the user had an adequate privilege level to initiate such actions. To abuse this vulnerability, all you needed was an account and a modern web browser, where you could modify data elements in a specific way before posting your request.

Leaked information

Attackers could have queried for usernames and IDs, e-]mail addresses, account numbers, street addresses, phone numbers and other private information. It was also possible to request account changes on an other user’s behalf. They also had a service called Informed Delivery, where it was possible to monitor an individual’s mailing address without their consent. Identity thieves abused this by impersonating individuals when applying for credit cards, then USPS notified them about the exact date of delivery, so they could steal the credit cards immediately when the arrived from the mailboxes.

Learn from others’ mistakes

You can try to solve a similar challenge on our platform to have a deeper understanding about this issue and how to avoid it in your own projects. A C++ backend is running in this environment which accepts glob patterns and it is waiting for you to hack it.

Conclusion

This breach shouldn’t have happened because the problem was so trivial. It is important to focus on the most probable attack vectors but you also have to think about overall security. It is similar to a house of cards, every little mistake increases the chance of destroying everything.