The US Postal Service ignored for more than a year an authentication oversight that exposed the account details of 60 million users to anyone that logged into the web service.
An anonymous researcher found that an application programming interface (API), a web component the USPS used to support its Informed Visibility service, did not include proper access control for reading data belonging to other users' accounts like their email address, username, user ID, account number, street address, or phone number.
Informed Visibility is a program that provides "near real-time letter and flat mail tracking information" to entities using bulk mail sending services.
To get the information, an attacker would just have to run a query in the system. They could also use wildcards to check records for users that shared a search parameter, such as a street address.
The researcher informed the USPS about the issue more than a year ago but never received an answer. Last week, he shared the report with investigative reporter Brian Krebs, who alerted the USPS about the issue.
The US Postal Office fixed the problem on November 20 and told Krebs that it was constantly monitoring its network for suspicious activity. The Office continues its investigation to learn if anyone tried to access without authorization data of the exposed accounts.
It is surprising that the weakness survived for this long without being exploited. In 2014, the USPS suffered a data breach that involved personal information of at least 750,000 employees and almost three million customers.
It appears that this problem slipped through the cracks, as one security audit of 13 Informed Visibility (IV) servers carried out by the Office of Inspector General failed to detect it.
A report published in October found that the IV systems suffered from some misconfiguration problems, but none of them referred to adding access controls for reading user data, which is a baseline in information security.
What the audit found were authentication and encryption issues in web applications communication protocols, misconfigurations affecting the confidentiality, integrity, and availability of the servers, controls for database account management and audit logging, and lack of a minimum configuration standard for the IV databases.