An API of the US Postal Service UU Damage exposed to more than 60 million users and allowed an investigator to extract millions of rows of data by sending wildcard requests to the server. The resulting security hole has been repaired after repeated requests to the USPS.
The USPS service, called InformedDelivery, allows you to view your mail before it arrives at your home and offers an API to allow users to connect their mail to specialized services. as the CRMs. We profiled the service in 2017.
The anonymous researcher showed that the service accepted wildcards for many searches, which allowed any user to see other users on the site. Brian Krebs has a copy of the API on his site.
The USPS told Krebs that it had investigated the hack and that:
"Computer networks are constantly under attack from criminals who try to exploit vulnerabilities in an illegal way to obtain information. The Postal Service's Information Security program and the Inspection Service use industry best practices to constantly monitor our network to detect suspicious activity. "
"Any information that suggests that criminals have tried to exploit potential vulnerabilities in our network is taken very seriously." Due to a large number of precautions, the Postal Service is investigating to ensure that anyone who has attempted to access to our systems inappropriately be prosecuted to the fullest extent of the law. "
Krebs also reported that identity thieves are misusing the service to see what mail reaches users' homes on what days, allowing them to take important documents and checks at will The API hole is currently patched, but it is not known what other mismanaged functions will emerge in this powerful tool.