Boris Vaynberg

by Boris Vaynberg

VP and GM for Advanced Threat Detection

Posted Dec 17, 2018

A flaw in their system could have been bad news for 60 million users.

Cyber Resilience quickly recover.png

You may have heard the United States Post Office has a motto that goes: “Neither snow nor rain nor heat nor gloom of night stays these couriers from the swift completion of their appointed rounds.” And even though the cost of send a one-ounce letter first class has only changed from $0.06 in 1863 to $0.50 in 2018, you can (mostly) be assured that your mail will get where it’s intended to go thanks to this amazing organization. Unfortunately, the online systems aren’t quite as efficient or secure.

60 Million Users Exposed

It seems that every week some organization is being exposed or reported on the news as having exposed millions of customer records. 

With many of these organizations you can understand why cybercriminals are after specific data or assets (i.e. retail, technology and financial organizations). It isn’t always obvious why some platforms are attacked unless you understand that all data can be used for other types of attacks. 

So, when you see reports like that of KrebsOnSecurity who reported in November that: “U.S. Postal Service just fixed a security weakness that allowed anyone who has an account at usps.com to view account details for some 60 million other users, and in some cases to modify account details on their behalf,” you may wonder what is really going on?

The blog post goes on to report:

“The problem stemmed from an authentication weakness in a USPS Web component known as an “application program interface,” or API — basically, a set of tools defining how various parts of an online application such as databases and Web pages should interact with one another.

The API in question was tied to a Postal Service initiative called “Informed Visibility,” which according to the USPS is designed to let businesses, advertisers and other bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages.

In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers, the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.”

Informed Visibility

Not to be seen as a purely brick and mortar organization, the United States Post Office has been adding more online capabilities throughout the last decade. One such initiative which just launched last year is their online “Informed Visibility Mail Tracking & Reporting” which provides for near real-time letter and flat mail tracking information. 

The good news is that anyone can create an account, login and get the information they desire on specific end-to-end mail tracking information for letter and flat pieces, bundles, handling units, and containers as well as leverage intelligence to create logical and assumed handling events to provide expanded visibility and improve ease of use through flexible data provisioning and delegation.

The down side is that this online system, like most online systems, is susceptible to cyberbreaches. According to CBS News:

“The post office expects to deliver more than 900 million packages this holiday season and 13 million people have already signed up for the free service which emails you photos of what mail you're going to be seeing later that day.

Bob Dixon developed Informed Delivery for the postal service and said it takes less than three minutes to sign up for the service. The post office asks people to verify their identity with questions like past cities and streets where they've lived and the sale price of their home. As privacy advocate Adam Levin warns, that kind of information could be on the dark web.”

Never Been Hacked

KrebsOnSecurity also reported that it “was contacted last week by a researcher who discovered the problem, but who asked to remain anonymous. The researcher said he informed the USPS about his finding more than a year ago yet never received a response. After confirming his findings, this author contacted the USPS, which promptly addressed the issue.”

The CBS News article ended with this high note:

“The U.S. Postal Service stresses that the actual Informed Delivery database has never been hacked, and said the best way to protect yourself from someone spying on your mail may be to sign up for the service with your own email address before someone else signs up as you.”

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

Boris Vaynberg

by Boris Vaynberg

VP and GM for Advanced Threat Detection

Posted Dec 17, 2018

You may also like:

Cybersecurity Myths Revisited

How many times have you come to accept a…

How many times have you come to accept a certain “trut… Read More >

Boris Vaynberg

by Boris Vaynberg

VP and GM for Advanced Threat Detection

Posted Nov 21, 2018

Multifaktor-Authentifizierungsfehler führt zu Ausfällen von Office 365/Azure

“@Microsoft: please don’t ru…

“@Microsoft: please don’t ruin Thanksgiving.&rdq… Read More >

Pete Banham

by Pete Banham

Cyber Resilience Expert

Posted Nov 19, 2018