The U.S. Postal Service recently fixed a gaping hole in their website's API that would give potential attackers access to package transit information, email addresses, usernames, account numbers, street addresses, phone numbers, and other information tied to USPS accounts. KrebsOnSecurity says that a researcher informed the USPS about the issue over a year ago, but only recently addressed the issue after the author confirmed his findings. The issue was more than just a simple bug, as the USPS website would hand over nearly all the information tied to an account to any logged in USPS user without so much as a single protest. Fortunately, address change requests still required email validation, but the website pointed out a number of other ways the API could be abused.
"This is not even Information Security 101, this is Information Security 1, which is to implement access control," Weaver said. "It seems like the only access control they had in place was that you were logged in at all. And if you can access other peoples' data because they aren't enforcing access controls on reading that data, it's catastrophically bad and I'm willing to bet they're not enforcing controls on writing to that data as well."
Discussion
