Connect with us

Hi, what are you looking for?


Application Security

U.S. Postal Service API Flaw Exposes Data of 60 Million Customers

The United States Postal Service (USPS) has fixed an API flaw that potentially exposed data on 60 million customers. A researcher reported the flaw to USPS more than a year ago; but it wasn’t until security blogger Brian Krebs contacted the organization this month that it took any action.

The United States Postal Service (USPS) has fixed an API flaw that potentially exposed data on 60 million customers. A researcher reported the flaw to USPS more than a year ago; but it wasn’t until security blogger Brian Krebs contacted the organization this month that it took any action.

The same researcher contacted Krebs. Krebs verified the flaw and contacted USPS, who this time “promptly addressed the issue”.

The problem was an API with inadequate authentication. All it required was for the user to be logged in to gain unauthenticated access to aspects to the USPS ‘Informed Visibility’ service — a service intended to provide near real-time tracking data. 

Logged-in users could query the system for account details, including email address, username, user ID, street address, phone number and mailing campaign data for other users. Such information could be used by criminals for scamming and targeted phishing purposes.

“The flaw that allowed this to happen,” comments Rusty Carter, VP of product management at Arxan, “was a component of the USPS Web site, an application program interface (API), which was designed to help business customers ‘make better business decisions by providing them with access to near real-time tracking data’ about mail campaigns and packages. Instead, it may have shared critical, competitive information about businesses mail campaign best practices, with anyone who stumbled upon the flaw.”

In June 2018, Torsten George, security evangelist at Centrify, warned that APIs could be the next big cyber-attack vector. While the use of APIs is increasing, and such use adds agility to system development, they are not given sufficient cybersecurity priority.

“According to a One Poll study,” he wrote, “businesses on average manage 363 different APIs, and two-thirds (69 percent) of those organizations are exposing their APIs to the public and their partners”

Advertisement. Scroll to continue reading.

“When building out APIs,” adds Carter, “organizations and developers need to assume that all the data and functionality inside the app can be made directly available as a tool to any attacker.”

Although current information suggests the USPS API flaw merely allowed access to customer data, it is indicative of widespread lack of focus on API security. In August 2018, T-Mobile revealed that attackers had gained access to personal information for about 2.3 million of its customers.

The fault was a similarly unprotected API. In that incident, attackers described by T-Mobile as ‘an international group’, gained access to company servers. “Underprotected APIs remains a significant problem for many of today’s web and mobile applications,” commented Ilia Kolochenko, CEO at High-Tech Bridge. “DevSecOps efforts are nascent if not non-existent in many large companies. Developers tend to ignore security best-practices, being already busy enough with endless streams of new features requested by the business to remain competitive on the market.”

This absolutely resonates with USPS, which made a net loss of $2.7 billion for FY 2017. In a statement issued in November 2017, it said, “Equally important in order to return to financial stability is continued aggressive actions on our part to innovate and constantly improve operational efficiency. The Postal Service has reduced its cost base by approximately $13 billion over the past decade, and we continue to take actions to reduce costs and improve efficiency.”

At the time of writing, USPS has made no public statement on its website. In a statement shared with Krebs it said it has no information that the flaw was ever leveraged criminally, and that “the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”

Related: Badge Reading App Exposed Details of Black Hat Conference Attendees 

Related: Leaked GitHub API Token Exposed Homebrew Software Repositories 

Related: Ping Identity Acquires API Security Firm Elastic Beam 

Related: Industry Reactions to Google+ Security Incident: Feedback Friday 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.