The US Postal Service (USPS) ignored a security flaw affecting millions of its registered website users for over a year until a researcher took his discovery to prominent blogger Brian Krebs, it has been alleged.
According to Krebs’s write-up, the unnamed researcher contacted him a week ago with news of a weakness he’d uncovered in the USPS.com ‘Informed Visibility’ API.
This API enables a USPS service that gives customers real-time tracking data on mailshot campaigns and deliveries.
Although described in general terms (see the before and after APIs), the authentication flaw found by the researcher…
…let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.
Krebs estimates that there are 60 million USPS account holders, all of whose data (passwords excluded) would have been viewable and, for fields such as email addresses or phone numbers, potentially modifiable.
An attacker who was aware of the flaw could even have run wildcard searches with no special knowledge of tools beyond a bit of nous about how to view and modify data elements using a browser.
When contacted, USPS told Krebs that the company had uncovered no evidence that the weakness had been exploited by an attacker:
Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.
Told of the vulnerability by Krebs on 18 November, USPS is said to have fixed it by 20 November.
Brick wall
That turnaround sounds swift until you read the claim that the researcher first told USPS of the vulnerability over a year ago but was unable to get any response.
Krebs seems to have had more luck getting through:
After confirming his [the researcher’s] findings, this author contacted the USPS, which promptly addressed the issue.
Naked Security has no way of confirming the researcher’s claim but, if true, it would fit the pattern of a known phenomenon – a customer/researcher notices or complains about an issue relating to an organisation’s service, technology or security, reports it, but is stalled or ignored.
The customer then complains to a newspaper journalist or blogger, who contacts the organisation for clarification after which it suddenly becomes a more urgent priority.
A cynical interpretation is that some organisations prefer to ignore complaints unless it’s about to do their reputation serious harm.
Or it might be a problem with the reporting process: an employee receives an email highlighting a flaw but fails to pass it on or passes it on but without an understanding of how to prioritise it. Perhaps it’s nobody’s job (or it is, but the right person isn’t told). Or maybe it’s simply the special inertia that stops the second thing on your TODO list from ever reaching the top.
Four years ago, USPS suffered a data breach affecting employee data, while last year a separate service run by the company, Informed Delivery, was criticised for its security design.
The moral here is that having any form of customer-facing technology without a clearly signposted way for external researchers to report flaws is always asking for trouble.
Anonamouse
I suspect your thoughts on “reporting process” hampered the correction being made.
I reported to a major Virtual Machine software company this spring that they may have malware in one of their downloads after we detected it, it took them 3 months of sporadic back and forth emails before it ever got to a department that would check the file. Really broke my respect for them. Their new parent company short staffs so that could be why (I worked at the parent company for 3 years, not naming them, friends still there)
anon
Another moral to this story is the oft touted response to account access security flaws, to open an account with the service provider before someone else does it in your name, is a poor defence. Precisely because the site is just as incapable of protecting your personal account profile data as it is at protecting access to their service data about you. You can’t make it right with another wrong.
Ria
If you were one of the people that complained multiple times and did not get it fully corrected or feel your information was part of the breach, what can you do?
anon
We have no legal recourse since none of the breached data falls under Personally Identifiable Information (PII) regulations. The USPS is not even obligated to notify users involved in the loss of data security.
That’s why US citizens need to ask our legislators to pass new laws to protect our data privacy. Not unlike what the UK and much of Europe has done.
Jim Gersetich
Big organizations seem to have trouble prioritizing security issues reported by low-level grunts (customers or not-universally-known security researchers). Three times I reported a hack possibility to a major ISP (that I USED to use), and all three times they just ignored it. Twice, the person I was talking to simply didn’t care (and said it). The third time it went up one level of management, but stopped there.
What more could I do? Well, what I did was leave them for another provider. But, what could someone else do?
usps
And they revealed they fixed the bug recently.