Thursday, November 22, 2018

60 Million USPS Users' Data Left Exposed Over A Year Despite The Notification By A Researcher.


U.S. Postal Service has addressed a gap security that allowed a person with an account at usps.com to not only view but in some cases to modify account details on behalf of more than 60 million users of a system called Informed Visibility.
An anonymous researcher who discovered the flow informed the #USPS a year ago but has not received any response nor a fix to the problem. Due to the danger that to security flow posed, the same researcher contacted KrebsOnSecurity but also informed the journalist that he/she wished continued to remain anonymous.
KrebsOnSecurity contacted the USPS after confirming his findings, and USPS promptly addressed the issue.

The problem stemmed from an authentication weakness in a USPS Web component known as an “application program interface,” or API tied to a Postal Service initiative called “Informed Visibility,” which according to the USPS is designed to let businesses, advertisers and other bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages. You can get more information about the issues here.

No comments: