Krebs on Security has just reported that an API weakness in USPS’s Informed Visibility program on its site has exposed the data of 60 million users.
The flaw exposed near real-time data about customer packages, as well as mail sent by USPS commercial customers. Perhaps most alarmingly, it also let logged-in users query the system for account details belonging to other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and more.
Setu Kulkarni, VP of Strategy and Business Development at WhiteHat Security:
“APIs are turning out to be a double-edged sword when it comes to internet scale B2B connectivity and security. APIs, when insecure, break down the very premise of uber connectivity they have helped establish. In the case of USPS, an authentication weakness in an API for a program called ‘Informed Visibility’ (which gives businesses, advertisers and bulk mail senders access to real-time tracking data), exposed the date of approximately 60 million users.
To avoid similar flaws, government agencies and companies must be proactive, not just reactive, in regards to application security. Every business that handles consumer data needs to make security a consistent, top-of-mind concern with an obligation to perform the strictest security tests against vulnerable avenues: APIs, network connections, mobile apps, websites and databases. Organizations that rely on digital platforms need to educate and empower developers to code using security best practices throughout the entire software lifecycle (SLC), with proper security training and certifications.”