USPS recently fixed a security flaw that enabled any person having an account on USPS to peep into the account details of other 60 million users. Using that vulnerability any person with wrong intents can even edit the details of those other 60 million users.
This security flaw was found by a researcher who prefers to remain anonymous. The researcher contacted KrebsOnSecurity (a daily blog based on cybersecurity) and told them about this flaw. The researcher told that he informed USPS about the vulnerability a long time ago but he never got any response from them.
The root cause of the security flaw was the USPS’ API (Application Programmable Interface). The API is nothing but a set of tools that define how the database and web page are going to interact with each other. The API that we are talking about here is the “Informed Visibility” API which enabled bulk mail senders and business to track their mail campaigns in real-time. But due to the flaw, the data of commercial clients got exposed.
The data included the email address, user IDs, account number, street address, phone number, and other sensitive information. The API accepted the wildcard search parameters that can bring all the data at once without having to search for any specific term.
Any person with malicious intents can exploit this security flaw without using any hacking tools. Implementing access control is a very important and a basic step while building any web app. Nicholas Weaver (Researcher at International Computer Science Institute and University of California Berkeley speaker) said that “This is not even Information Security 101, this is Information Security 1, which is to implement access control”. Which explains how major this security flaw was. Fortunately, this security flaw has been fixed now.