The United States Postal Service reportedly patched an API exploit on Wednesday that would allow anyone with a USPS.com account to view other users' account details. The security flaw impacted some 60 million USPS users, The Engadget reports.
Per a Krebs on Security report, the flaw was first discovered more than a year ago by an independent security researcher, who informed the mail service but never received word back until Krebs reached out last week on the researcher's behalf.
The API was part of the USPS "Informed Visibility" program which is designed to help empower bulk mail senders with near real-time tracking data. Problem is, the API was programmed to allow any number of "wildcard" search parameters enabling anyone who logged into the system and had a basic understanding of modifying parameters in the web browser console could pull up reams of data on other users. Everything from usernames and account numbers to physical addresses and phone numbers were there for the taking.
"This is not even Information Security 101, this is Information Security 1, which is to implement access control," Nicholas Weaver, a researcher at the International Computer Science Institute, told Krebs. "It seems like the only access control they had in place was that you were logged in at all. And if you can access other peoples' data because they aren't enforcing access controls on reading that data, it's catastrophically bad and I'm willing to bet they're not enforcing controls on writing to that data as well."