USPS has recently dealt with one of the biggest vulnerabilities that jeopardized the personal information of all of its 60 million plus users.
Apparently, the USPS website was exposed to a vulnerability that could have resulted in dire consequences.
The States’ Postal Agency’s mail tracking data, reportedly, remained susceptible, exposing the details of all of its customers to any of them. In other words, as a USPS user, you could run a query and look-up for usernames, street addresses, phone numbers, e-mail Ids, and more details pertaining to any of the USPS users.
The most fearsome facet of this bug was that it is said to have enabled any of the USPS users, to request a modification in the personal details of another user. The worst is yet to come, the USPS does not have a reconfirmation step involved before updating or an informing step involved after updating these details.
All these drawbacks combined, further the risk of the victim never being able to discover the change, unless they log on to the USPS Portal.
The Discovery
In other words, if you were a user of the USPS, the data you probably wanted to keep accessible to advertisers and businesses, remained unconcealed to others. This vulnerability was reportedly experienced by an Anonymous Researcher who apparently, during the previous week, confided in Brian Krebs, an American Journalist, and Investigative Reporter.
Thereafter, the US-based Investigative Reporter verified the same, and diligently contacted the USPS, and the issue was duly addressed.
The Bug that caused it all
The unwelcome access was eventually traced to a vulnerable authentication system that lacked adequate control. The website’s API had an issue that exposed the details of all of its users to anyone logged into it, as a USPS user. This data should have been better-guarded as it could have given way to a successful credit card theft or identity theft.
Presently, the only credible safety measure is to sign-up for the Informed Delivery Service, like over 13 million USPS users already have.
No comments:
Post a Comment