60 Million Users Exposed Due to USPS’s Overlooked Security Breach
The United States Postal Service (USPS) just fixed a security vulnerability that previously allowed anyone who has an account at usps.com, to view account details for approximately 60 million other users. What is worse is, in some cases, users were able to access and modify account details for accounts they should not have access to. Just think of the damage someone could do with that power!
According to Krebs on Security, this vulnerability is over a year old. The researcher who originally found it reportedly informed the USPS over a year ago without a resolution. Once Brian Krebs confirmed the vulnerability and reached out to USPS, a fix was promptly issued.
The security vulnerability was also overlooked by the Office of Inspector General, who recently conducted an IT audit. The audit findings were primarily focused on the encryption process of data going from point A to point B. However, they missed the lack of controls within the usps.com website as a whole. Prior to the fix, once logged into the user’s account, they could abuse their access. Now, a second authentication piece has been added in order to authorize certain account changes.
It does not appear user passwords were leaked as a result of this vulnerability. However, it would be wise to review account information to ensure accuracy.
