A couple of weeks after the Secret Service issued an alert that cybercriminals were using the U.S. Postal Service’s Informed Delivery feature for identity theft and other forms of fraud, the USPS has fixed a flaw that exposed the personal details of 60 million users who have usps.com accounts.
“Just in time for the holidays, USPS has delivered to customers a lump of coal, in the form of exposing account data belonging to 60 million users, including emails, username and ID, account number, contact info and other information,” said Rusty Carter, vice president of product management at Arxan, about a report from KrebsonSecurity detailing the findings of an anonymous researcher who discovered the flaw and claimed to have reported it to the postal service. “Of particular concern, a researcher reported the vulnerability to USPS a year ago and never received a response.”
The vulnerability was in the Informed Delivery API, which the postal service had boasted as a tool for business customers to “make better business decisions by providing them with access to near real-time tracking data,” but instead, Carter said, “it may have shared critical, competitive information about businesses mail campaign best practices, with anyone who stumbled upon the flaw.”
The postal service was dinged for its slow response to the vulnerability. “The USPS breach is yet another example of the dreadful risks that American consumers take every day, simply by going about their daily business online,” said Lucy Security CEO Colin Bastable. “The inexcusable delay in rectifying the problem has exposed millions to the risk of cybercrime.”
Google Head of Account Security Mark Risher urged users to employ a mail client and web browers with robust anti-phishing warnings” since phone or laptop default apps might not offer such protection. “Users with Google Accounts should also consider taking a Security Checkup to ensure their apps and devices are in the best-protected state,” RIsher said.
Paul Bischoff, privacy advocate with Comparitech.com, said that while "APIs can be a very effective way for a businesss to allow third parties to build useful tools and applications around that business' data… they must be properly secured.”
In this case, he said, “basic access controls were not properly implemented” and noted that anyone with access “could request changes be made to those accounts, although those changes must be confirmed via email.”
So far there’s no indication that anyone has exploited the vulnerability, which reportedly existed for a year, Bischoff said “we should assume the worst.”
API-based attacks have greater security implications, pros said. They “are the reason that even database encryption is failing,” said Anthony James, vice president at CipherCloud, “If you can compromise the API you can access and exfiltrate the encrypted data in the database.”
According to a recent survey, “25 percent of companies have over 1,000 APIs and 45 percent of security and IT professionals aren’t confident in their organization's ability to detect whether a bad actor is accessing their APIs,” said Bernard Harguindeguy, CTO, Ping Identity. “This illustrates one of the greatest obstacles to effective API security today — the people trusted with securing APIs don’t always have enough visibility into who is accessing what account to track whether illegitimate access is occurring.
The USPS incident “highlights the risks organizations have without proper vetting of the services,” agreed Tim Mackey, open source technology evangelist at Synopsys. “Understanding the data transmitted to an API and a method to validate the sanity of the returned data should be part of the review process in all development and procurement teams.”
That way “API consumers can then monitor for any security disclosures associated with their API usage,” he said. “When you consider the US Senate Commerce Committee is hearing briefs on a national data protection law similar to CCPA and GDPR, organizations should view tracking of API dependencies as a core strategy in reducing risks associated with potential data breaches.”
Calling the USPS exposure a wake-up call, Harguindeguy said organizations everywhere must “step up their API security. API infrastructures need special attention to defend against abuses and attacks.”