The US Postal Service launched its Informed Visibility program last year to provide better insight into their mailstream service. For example, one can obtain near real-time notifications about delivery dates and identify trends. However, they have made much more data available than intended, at least 60 million customers were exposed to anyone who is registered on http://www.usps.com. To make things more unnerving, a researcher had reported this vulnerability long before, but nobody didn’t care to patch it until November 2018.
API vulnerability
The USPS website has an API that is tied to this service, and several endpoints accepted search parameters containing wildcards. Wildcards are special characters functioning as placeholders. When processed, they are matched against strings based on a specific set of rules. In this case, this meant that you didn’t need to possess any personal data about the customers to look them up, you could simply get information about anybody. Moreover, the API didn’t even bother to check if the user had an adequate privilege level to initiate such actions. To abuse this vulnerability, all you needed was an account and a modern web browser, where you could modify data elements in a specific way before posting your request.
Leaked information
Attackers could have queried for usernames and IDs, e-mail addresses, account numbers, street addresses, phone numbers, and other private information. It was also possible to request account changes on another user’s behalf. They also had a service called Informed Delivery, where it was possible to monitor an individual’s mailing address without their consent. Identity thieves abused this by impersonating individuals when applying for credit cards, then USPS notified them about the exact date of delivery, so they could steal the credit cards immediately when they arrived from the mailboxes.
Conclusion
This breach shouldn’t have happened because the problem was so trivial. It is important to focus on the most probable attack vectors but you also have to think about overall security. It is similar to a house of cards, every little mistake increases the chance of destroying everything.
Learn from others’ mistakes
You can try to solve a similar challenge on our platform to have a deeper understanding of this issue and how to avoid it in your own projects. A C++ backend is running in this environment which accepts glob patterns and it is waiting for you to hack it.
Related Articles
How to turn your developers into security champions?
Reading Time: 9 minutes Security champions play a vital role in establishing and maintaining a security culture in an engineering organization. See how to turn your developers into security champions!
Why do you need a security champions program?
Reading Time: 6 minutes As the company grows the leadership wants to establish a security program to ensure the solid and undisrupted operation of the business. Security at this point is essential, especially when calculating the loss from a halted business, even for a few hours.
What’s next? – OWASP Top 10 2021
Reading Time: 9 minutes OWASP Top 10 Vulnerabilities in 2021 based on the non-official proposal of Phillippe De Ryck. Here is what we know.
Security Champions: Interview with Alexander Antukh, CISO of Glovo
Reading Time: 7 minutes Security champions represent an essential part of any security programs. They lead their teams on security projects, ensure internal security and help keeping security on the top of your mind. But how exactly they operate in a business? We asked Alexander Antukh, Director of Security at Glovo for professional insights.
5 best practices to successfully implement training as part of your security program
Reading Time: 6 minutes For most companies, security is considered a side quest, which is partly related to the daily processes. In reality, security ought to be a strong foundation of any organization. To ensure the defense of the enterprise, the relevant teams need strong security knowledge and abilities.