USPS Vulnerability Exposed 60 Million Users

AlphaAtlas

AlphaAtlas

[H]ard|Gawd
Staff member
Joined
Mar 3, 2018
Messages
1,713
The U.S. Postal Service recently fixed a gaping hole in their website's API that would give potential attackers access to package transit information, email addresses, usernames, account numbers, street addresses, phone numbers, and other information tied to USPS accounts. KrebsOnSecurity says that a researcher informed the USPS about the issue over a year ago, but only recently addressed the issue after the author confirmed his findings. The issue was more than just a simple bug, as the USPS website would hand over nearly all the information tied to an account to any logged in USPS user without so much as a single protest. Fortunately, address change requests still required email validation, but the website pointed out a number of other ways the API could be abused.

“This is not even Information Security 101, this is Information Security 1, which is to implement access control,” Weaver said. “It seems like the only access control they had in place was that you were logged in at all. And if you can access other peoples’ data because they aren’t enforcing access controls on reading that data, it’s catastrophically bad and I’m willing to bet they’re not enforcing controls on writing to that data as well."
 
giphy.gif


Well done, USPS, well done.
 
not surprised.. we still use old ass compaq's from 2007 with mid 90's 13 inch CRT displays.. even some of the server racks in my building date back to 2001 and no one even knows if they actually control anything but they still keep them running. they're just now talking about potentially replacing them but we're at the bottom of the list for replacements so it'll probably take another 3-4 years.
 
A change of address is NOT verified by any contact from the post office.

I was targeted after the Equifax breach with 5 new credit cards/lines of credit and only incidentally found that my mail had been forwarded to another city where the crooks were hoping to get the cards.

Fortunately, I had a free service from CapitalOne that I wasn't aware of until the incident (Credit Wise) that tipped me off so I could call all the banks that had done credit checks and warn them of the fraud.

The lame ass support at Equifax told me that all the applications were legit. :(
 
RealBeast said:
A change of address is NOT verified by any contact from the post office.

I was targeted after the Equifax breach with 5 new credit cards/lines of credit and only incidentally found that my mail had been forwarded to another city where the crooks were hoping to get the cards.

Fortunately, I had a free service from CapitalOne that I wasn't aware of until the incident (Credit Wise) that tipped me off so I could call all the banks that had done credit checks and warn them of the fraud.

The lame ass support at Equifax told me that all the applications were legit. :(
Click to expand...

USPS sends an address change verification letter to both the new address and the old address for ANY change of address (including temporary ones)
 
They're gonna need more than that to catch up to Equifax, but good effort.
 
steakman1971 said:
I think its safe to assume that all of our information has already been exposed. If any is still "private", just give it a few days - it will be exposed soon enough.
Click to expand...

If anything is still private it's probably only because no one could figure out a use for it.
 
RealBeast said:
A change of address is NOT verified by any contact from the post office.

I was targeted after the Equifax breach with 5 new credit cards/lines of credit and only incidentally found that my mail had been forwarded to another city where the crooks were hoping to get the cards.

Fortunately, I had a free service from CapitalOne that I wasn't aware of until the incident (Credit Wise) that tipped me off so I could call all the banks that had done credit checks and warn them of the fraud.

The lame ass support at Equifax told me that all the applications were legit. :(
Click to expand...

the problem is the credit card companies don't verify if the addresses are correct, what ever is put in the application form, as long as all the important information is legit they'll send the card to what ever address is put into the application. the only ones that actually verify using your credit reported address is banks even when that address is still wrong as is the case for me.. my credit report still says i live in california even though i haven't lived there for over 10 years and the process to get it fixed takes forever to the point where it's not even worth it.
 
You must log in or register to reply here.
Back
Top