According to Krebs’s write-up, the unnamed researcher contacted him a week ago with news of a weakness he’d uncovered in the USPS.com ‘Informed Visibility’ API.
This API enables a USPS service that gives customers real-time tracking data on mailshot campaigns and deliveries.
Although described in general terms (see the before and after APIs), the authentication flaw found by the researcher…
…let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.
Krebs estimates that there are 60 million USPS account holders, all of whose data (passwords excluded) would have been viewable and, for fields such as email addresses or phone numbers, potentially modifiable.
An attacker who was aware of the flaw could even have run wildcard searches with no special knowledge of tools beyond a bit of nous about how to view and modify data elements using a browser.
When contacted, USPS told Krebs that the company had uncovered no evidence that the weakness had been exploited by an attacker:
Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.
Told of the vulnerability by Krebs on 18 November, USPS is said to have fixed it by 20 November.
That turnaround sounds swift until you read the claim that the researcher first told USPS of the vulnerability over a year ago but was unable to get any response.
Krebs seems to have had more luck getting through:
After confirming his [the researcher’s] findings, this author contacted the USPS, which promptly addressed the issue.
Naked Security has no way of confirming the researcher’s claim but, if true, it would fit the pattern of a known phenomenon – a customer/researcher notices or complains about an issue relating to an organisation’s service, technology or security, reports it, but is stalled or ignored.
The customer then complains to a newspaper journalist or blogger, who contacts the organisation for clarification after which it suddenly becomes a more urgent priority.
A cynical interpretation is that some organisations prefer to ignore complaints unless it’s about to do their reputation serious harm.
Or it might be a problem with the reporting process: an employee receives an email highlighting a flaw but fails to pass it on or passes it on but without an understanding of how to prioritise it. Perhaps it’s nobody’s job (or it is, but the right person isn’t told). Or maybe it’s simply the special inertia that stops the second thing on your TODO list from ever reaching the top.
Four years ago, USPS suffered a data breach affecting employee data, while last year a separate service run by the company, Informed Delivery, was criticised for its security design.
The moral here is that having any form of customer-facing technology without a clearly signposted way for external researchers to report flaws is always asking for trouble.
John E Dunn