Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Application Security

U.S. Postal Service API Flaw Exposes Data of 60 Million Customers

The United States Postal Service (USPS) has fixed an API flaw that potentially exposed data on 60 million customers. A researcher reported the flaw to USPS more than a year ago; but it wasn’t until security blogger Brian Krebs contacted the organization this month that it took any action.

The United States Postal Service (USPS) has fixed an API flaw that potentially exposed data on 60 million customers. A researcher reported the flaw to USPS more than a year ago; but it wasn’t until security blogger Brian Krebs contacted the organization this month that it took any action.

The same researcher contacted Krebs. Krebs verified the flaw and contacted USPS, who this time “promptly addressed the issue”.

The problem was an API with inadequate authentication. All it required was for the user to be logged in to gain unauthenticated access to aspects to the USPS ‘Informed Visibility’ service — a service intended to provide near real-time tracking data. 

Logged-in users could query the system for account details, including email address, username, user ID, street address, phone number and mailing campaign data for other users. Such information could be used by criminals for scamming and targeted phishing purposes.

“The flaw that allowed this to happen,” comments Rusty Carter, VP of product management at Arxan, “was a component of the USPS Web site, an application program interface (API), which was designed to help business customers ‘make better business decisions by providing them with access to near real-time tracking data’ about mail campaigns and packages. Instead, it may have shared critical, competitive information about businesses mail campaign best practices, with anyone who stumbled upon the flaw.”

In June 2018, Torsten George, security evangelist at Centrify, warned that APIs could be the next big cyber-attack vector. While the use of APIs is increasing, and such use adds agility to system development, they are not given sufficient cybersecurity priority.

“According to a One Poll study,” he wrote, “businesses on average manage 363 different APIs, and two-thirds (69 percent) of those organizations are exposing their APIs to the public and their partners”

Advertisement. Scroll to continue reading.

“When building out APIs,” adds Carter, “organizations and developers need to assume that all the data and functionality inside the app can be made directly available as a tool to any attacker.”

Although current information suggests the USPS API flaw merely allowed access to customer data, it is indicative of widespread lack of focus on API security. In August 2018, T-Mobile revealed that attackers had gained access to personal information for about 2.3 million of its customers.

The fault was a similarly unprotected API. In that incident, attackers described by T-Mobile as ‘an international group’, gained access to company servers. “Underprotected APIs remains a significant problem for many of today’s web and mobile applications,” commented Ilia Kolochenko, CEO at High-Tech Bridge. “DevSecOps efforts are nascent if not non-existent in many large companies. Developers tend to ignore security best-practices, being already busy enough with endless streams of new features requested by the business to remain competitive on the market.”

This absolutely resonates with USPS, which made a net loss of $2.7 billion for FY 2017. In a statement issued in November 2017, it said, “Equally important in order to return to financial stability is continued aggressive actions on our part to innovate and constantly improve operational efficiency. The Postal Service has reduced its cost base by approximately $13 billion over the past decade, and we continue to take actions to reduce costs and improve efficiency.”

At the time of writing, USPS has made no public statement on its website. In a statement shared with Krebs it said it has no information that the flaw was ever leveraged criminally, and that “the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”

Related: Badge Reading App Exposed Details of Black Hat Conference Attendees 

Related: Leaked GitHub API Token Exposed Homebrew Software Repositories 

Related: Ping Identity Acquires API Security Firm Elastic Beam 

Related: Industry Reactions to Google+ Security Incident: Feedback Friday 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.