21
Nov 18

USPS Site Exposed Data on 60 Million Users

U.S. Postal Service just fixed a security weakness that allowed anyone who has an account at usps.com to view account details for some 60 million other users, and in some cases to modify account details on their behalf.

Image: USPS.com

KrebsOnSecurity was contacted last week by a researcher who discovered the problem, but who asked to remain anonymous. The researcher said he informed the USPS about his finding more than a year ago yet never received a response. After confirming his findings, this author contacted the USPS, which promptly addressed the issue.

The problem stemmed from an authentication weakness in a USPS Web component known as an “application program interface,” or API — basically, a set of tools defining how various parts of an online application such as databases and Web pages should interact with one another.

The API in question was tied to a Postal Service initiative called “Informed Visibility,” which according to the USPS is designed to let businesses, advertisers and other bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages.

In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers, the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.

Many of the API’s features accepted “wildcard” search parameters, meaning they could be made to return all records for a given data set without the need to search for specific terms. No special hacking tools were needed to pull this data, other than knowledge of how to view and modify data elements processed by a regular Web browser like Chrome or Firefox.

A USPS brochure advertising the features and benefits of Informed Visibility.

In cases where multiple accounts shared a common data element — such as a street address — using the API to search for one specific data element often brought up multiple records. For example, a search on the email addresses for readers who volunteered to help with this research turned up multiple accounts when those users had more than one user signed up at the same physical address.

“This is not good,” said one anonymous reader who volunteered to help with this research, after viewing a cut-and-paste of his USPS account details looked up via his email address. “Especially since we moved due to being threatened by a neighbor.”

Nicholas Weaver, a researcher at the International Computer Science Institute and lecturer at UC Berkeley, said the API should have validated that the account making the request had permission to read the data requested.

“This is not even Information Security 101, this is Information Security 1, which is to implement access control,” Weaver said. “It seems like the only access control they had in place was that you were logged in at all. And if you can access other peoples’ data because they aren’t enforcing access controls on reading that data, it’s catastrophically bad and I’m willing to bet they’re not enforcing controls on writing to that data as well.”

A cursory review by KrebsOnSecurity indicates the promiscuous API let any user request account changes for any other user, such as email address, phone number or other key details.

Fortunately, the USPS appears to have included a validation step to prevent unauthorized changes — at least with some data fields. Attempts to modify the email address associated with my USPS account via the API prompted a confirmation message sent to the email address tied to that account (which required clicking a link in the email to complete the change).

It does not appear USPS account passwords were exposed via this API, although KrebsOnSecurity conducted only a very brief and limited review of the API’s rather broad functionality before reporting the issue to the USPS. The API at issue resides here; a copy of the API prior to its modification on Nov. 20 by the USPS is available here as a text file.

The ability to modify database entries related to Informed Visibility user accounts could create problems for the USPS’s largest customers — think companies like Netflix and others that get discounted rates for high volumes. For instance, the API allowed any user to convert regular usps.com accounts to Informed Visibility business accounts, and vice versa.

Spammers and email scam artists also could have a field day with this USPS vulnerability, said Robert Hansen, chief technology officer at Bit Discovery, a security firm in Austin, Texas.

“This could easily be leveraged to build up mass targeted spam or spear phishing,” Hansen said. “It should have been protected via authentication and validated against the logged in user in question.”

In a statement shared with KrebsOnSecurity, the USPS said it currently has no information that this vulnerability was leveraged to exploit customer records, and that the information shared with the USPS allowed it to quickly mitigate the vulnerability. Here’s the rest of their statement:

“Computer networks are constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information.  Similar to other companies, the Postal Service’s Information Security program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity.”

“Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously. Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”

According to a somewhat redacted vulnerability assessment of Informed Visibility (PDF) published in October 2018 by the USPS’s Office of Inspector General (OIG), auditors found a number of authentication and encryption weaknesses in the service. But they seemed to have overlooked this rather glaring security problem. The USPS told the OIG it had addressed the authentication problems raised in the audit report, which appear to have been related to how data was encrypted in transit.

The API vulnerability is the latest security stumble for the Postal Service’s efforts to modernize operations. The Informed Visibility program is the sister initiative to the USPS’s Informed Delivery service, which lets residents view scanned images of all incoming mail. The API vulnerability affected all usps.com users, including some 13 million Informed Delivery users.

As detailed in numerous stories here, Informed Delivery has struggled to implement security features that might prevent abuse of the system by identity thieves and other ne’er-do-wells.

Earlier this month, KrebsOnSecurity broke the news that the U.S. Secret Service issued an internal memo about identity thieves abusing Informed Delivery to aid in mail theft. The story cited cases in multiple states involving scammers who ordered new credit cards in the names of victims, and then signed up as those victims at Informed Delivery once the cards were sent — thereby allowing the thieves to tell exactly when the new credit cards would be arriving in the mail.

Although fixing information disclosure and authentication weaknesses is often quite simple, it’s remarkable how many organizations that should know better don’t invest the resources needed to find and address them. In September, this author detailed how a company used by thousands of state and local governments to accept online payments was leaking more than 14 million records.

In August, KrebsOnSecurity disclosed a similar flaw at work across hundreds of small bank Web sites run by Fiserv, a major provider of technology services to financial institutions.

In July, identity theft protection service LifeLock corrected an information disclosure flaw that exposed the email address of millions of subscribers. And in April 2018, PaneraBread.com remedied a weakness exposing millions of customer names, email and physical addresses, birthdays and partial credit card numbers.

Got a tip about a security vulnerability similar to those detailed above, or perhaps something more serious? Please drop me a note at krebsonsecurity @ gmail.com.

Update, 3:49 p.m. ET: Updated the story to include an official statement from the USPS.

Tags: , , , , , , ,

53 comments

  1. The Krebs has the Kred, to get noticed!

  2. And yet I’m sure some independent contractor/crony of the USPS invoiced the American taxpayers for BILLIONS for the sparkly, shiny new “informed digest” feature. The post office is a sick joke that should be removed from service. Staffed by illegal foreigners (in CA) who steal packages & mail with impunity (from rented post office boxes) and the only American is the boomer postmaster waiting for retirement/coasting into a six figure pension.

    • postal service is Independent business regulated by the government if you do not use the postal service you do not pay for it services or people that work with for the postal service. it is not paid by taxpayers. Postal service is also required to prefund their retirement by 75 years ergo this year alone was 6.9 billion dollars minus the 3.9 billion dollars made equals the fake debt of 3 billion dollars.loss

    • Spiddle on Prattle

      sorry but the prattle comment is so stupidly idiotic

    • The USPS is a fee for service. There are zero and I mean zero tax dollars used to run the postal service.
      I work for the postal service and my husband recently retired as a manager of 33 yrs and he certainly worked hard for his retirement and did not “coast” into 6 figure retirement. Try lower 5 figure. Postal service is the only agency required to prefund their retirement for all their employees. Yes it is a well paying job, but I certainly am not sitting on my a** all day.
      Also the postal service employs thousands of contractors who make millions of dollars moving the mail over the road and in the air. Think about it, only costs you 50 cents to mail a letter from New York to California. The postal service is not supposed to make a profit. And when we do that money is reinvested into technology and facilities. The equipment continues to be improved requiring less personnel and this reduces cost. Next time go to a large facility they usually do tours. I suggest you take one. We process a heck of a lot mail for very little money.

    • Unfortunately, I would have to disagree with the premise of eliminating the post office, why? Remember the term postal? Amazon sound dangerous? Or how about Fed ex? But going postal? Okay, if the laws were enforced, they are the only ones who have access, unfettered for the purpose of delivery. Really, a private business don’t. You can place a no tresspasing sigh out, and only the post and a guest may cross without a court order. Why eliminate, you would not get court orders, imagine trying to get a home delivery pizza if their were no addresses, set by post offices. Or the rate to send a letter by Amazon, or what they would charge.
      But, Krebs, good article.

      • >>Really, a private business don’t. You can place a no tresspasing sigh out, and only the post and a guest may cross without a court order. Why eliminate, you would not get court orders, imagine trying to get a home delivery pizza if their were no addresses, set by post offices.

        I have a home with a street address. FedEx and UPS delivers. The USPS does not. If you send mail to my address it gets sent back as undeliverable. And I get pizza delivered. To get mail I am forced to get a P.O. Box.

        But it’s not all bad, Informed Visibility hacks wouldn’t do the crooks any good. The P. O. Boxes are locked. And the P. O. Boxes are free, apparently to compensate for not delivering mail.

    • Nope. This API was all internally developed. Nice try though

    • Prattle on, Boyo?? How bout get a clue Bozo, for you. What a blow hard ignorant jerk. I’m sure there are NO skeletons in your closet.

  3. Jeez, the more “ease of use” and “modernization” that companies (Government included) implement, the more we hear about security being a secondary concern.

  4. After reading your recent article on USPS Informed Delivery service, last week I signed up to protect my ID and thinking that I would be able to view MY personal mail and packages. I rent a lake house room and the mailbox is shared with other renters. Little did I realize that when checking my mail with Informed Delivery, I was shown scans of not just my mail but of all people living in the home. So much for privacy.

    • informed .delivery does not hve the ability to separate individual ppls mail fir viewing. Its all who recieves mail at a residence. Also only one person can have it not multiple ppl at.the same address. Not all mail is viewed as well. its a great tool to have to just know whats coming. working the USPS I think its too much information as you can see hackers are toe to toe with modern technology

  5. A vulnerability assessment is not a penetration test. The OIG should not have been expected to find such an error with a vulnerability test. Any application like this needs a real penetration test. Since their audit was both scanning and looking at procedures, OIG should be faulted for not calling out the lack of a penetration test. The USPS needs to run all their public facing websites through real penetration testing and/or establish a bug bounty program.

  6. Think about what a defect like this might mean for all those states that send absentee ballots or practice “Vote By Mail”.

  7. Not much better with the route carriers. The carrier delivering to my area leaves mail at the wrong box regularly. Not sure the applicants to handle mail are tested for reading comprehension. Our distribution center is nothing more than a lost mail center.

    Our Post Mistress is seldom available during normal business hours. Complaining to her is nothing more than venting.

    For an agency with the best working hours, insurance and retirement package, they do not shine.

    • Instead of complaining to your postmistress, you need to go to the USPS web site, and file an official complaint. She will have to go through a process, and answer what she is doing to resolve the issue.

  8. The Sunshine State

    Great article as usual !

  9. they should run a service like ATTACKIQ which uses the MITRE vulnerability tests and runs them automated, around the clock ….

    just my 2 cents!

  10. We should be more concerned about the information that was leaked than complaining about the post office in general. Let’s keep to the subject matter in the article.

    This was very enlightening, Brian. As an occasional user of this site for convenience purposes, I had no idea that this was even possible. Thanks for sharing this information with us.

  11. the USPS is a joke. always has been. their broke. but they keep raising prices of stamps thinking that will fix their financial issues.

    • I have no love for USPS but you are mistaken. They’re so far from broke that they can almost sustain the unprecedented prefunded retirement everyone keeps talking about. They’re also the only affordable option for shipping small weights under a pound unless you’re the size of Amazon, and the only affordable option period for international shipments. UPS and FedEx have not been able to compete. I wish they could.

  12. Signed up for this service last week, not because I wanted it, but to try and prevent it from being abused.

    The validation was weak, just used credit reporting information/addresses. Emails began daily showing the 1st-class mail to be delivered as gray-scale images.
    Yesterday, the email included an image of the snailmail validation letter confirming that I’d signed up. Haven’t read it too closely, but there were 2 alphanumeric codes included inside. If I’d signed up for someone else, I could have easily picked up their mail.
    Our mail is delivered here well after dark in the evenings, so walking the 20 ft from my simple street mailbox to a neighbors and grabbing their mail wouldn’t be noticed 99% of the time. No locks on the mailboxes here.
    We are forever trading misdelivered mail. It wasn’t this bad until the last few years. Used to be once a year, now it is once a week. None of are names are common or related in any way.

  13. excellent work and detail as usual Brian, we really appreciate it!

    A quick question- how is it you and the volunteers are allowed to probe and test the usps’s API vulnerabilities without fear of running afoul legally (or civilly), here in the US ?

    is it that you obtain permission from USPS first? I’m just curious for my own research and knowledge. thanks

  14. Daniel Chavez Jr

    The USPS is one of the few constitutional manadeted government agencies and profits have been ransacked by Congress for years because they can do it. Taxpayers don’t give a dime to the Post Office. Postal management has never been audited and there lies the blame. If a fortune 500 company had to prefund retired healthcare 75 years in advance 4.5 billion every 3 months…yes months they would be bankrupt Oh and Congress sets the rules so I think the workers, carriers, and clerks are doing their best overall. Happy Thanksgiving and yes I will be delivering Friday morning.

  15. There is zero value in this system other than to mine Americans personal information.

  16. I told them about this problem twice years ago and I thought they fixed it but I guess the problem wasn’t fixed everywhere.

  17. I’ve got to wonder if the recent law regarding drug interdiction is based off this same database, originally built to track hazardous materials in the mail.

    https://www.govexec.com/management/2018/10/trump-signs-law-curb-postal-services-unintentional-role-opioid-crisis/152351/

  18. KoSReader6000000

    To Readership1

    Probably correct.

    Take a look at the mail cover program. It was initially ramped up due mostly to the anthrax letter episode but proved to be very handy at grabbing “metadata” on many people. This would include political affiliations, foreign communications to and from the USA to other nations, smuggling, banking data and so on. I would assume the postal imaging or scanning database is quite revealing and probably very valuable.

    The down side is foreign actors could gain significant information on many military and other American activities if exposed. Now, that Brian Krebs has exposed this trove of data I wonder if it is worth the time and money spent to create it. It could be quite radioactive and harmful in the long run.

    • Not exactly. The scanning program was upped after 9/11. Tracing has been in place for quite some time. This APP is all about visibility of the mail for the mailing industry and its customers. They all want to know when their mailpiece arrives.

  19. These sorts of systems are generally developed by contractors, not by in-house teams. They’re often operated by contractors too.

    Brian, you have the journalistic skill to figure out which contractor developed systems like these, and who operates them. I wonder if it makes sense to mention them in articles about system breaches, and try to get comments from them.

    It would help your readers (like me) who work to defend our customers’ secrets to know more about the human systems involved in failures like this USPS one.

  20. well the files are just binary equal lol no modification 🙂

    “The API at issue resides here; a copy of the API prior to its modification on Nov. 20 by the USPS is available here as a text file.”

  21. Don’t you just love all of these unnecessary “services” provided by the obviously security ignorant. And just like personal email can be viewed by the government because of the fact that it goes through external servers means one has “no reasonable expectation of privacy”:

    “While it may be difficult for law enforcement to legally gain access to one’s personal computer and local copies of saved in one’s personal computer, they may be able to get them easily from the ISP. ISPs are also increasingly creating End User Service Agreements that users must agree to abide by. These agreements reduce any expectation of privacy, and often include terms that grant the ISP the right to monitor the network traffic or turn over records at the request of a government agency.”

    …with this “informed delivery” crap, I wonder if it would be useful to government agencies to effortlessly see everything one is receiving through the mail, obtaining that information legally or otherwise via “informed delivery.” Do ya’ think?

    Now all we need to do is fully move to a cashless society and driverless cars and we’ll really have a turn-key dystopia.

  22. As I’ve always said, the American capitalist philosophy is to get the software to market and fix the problems later. That has to change; and it is starting too with services starting to be held accountable.

  23. How many times is it going to take! Authentication does not equal authorization. Can’t believe this continues to happen.

  24. Nice work Brian … as usual.

    On another USPS security aspect …

    … the POs in my area are ONLY NOW activating and using their credit card EMV chip readers.

    Clearly, there’s some significant beurocratic inertia in the behemoth organization.

    I’m skeptical if they – or the sub-contractors they employ – will EVER be able to efectively counter the always-dynamic cyber threats.

  25. My spouse and I are traveling as we speak. Before leaving home she asked me to stop/hold our mail – something she usually took care of. So I signed up and placed the hold. A few days later I checked and found I had no holds scheduled! So she logged on and set it and received the verification email. The neighbor will get our mail that had been delivered. So this verifies only one email per address. Happy THAT worked.

  26. It’s government. They just don’t care.

  27. Brian, API before and after are identical

  28. Hey, Kreb. Looks like the API’s are identical. The before and the after. Hmmm

  29. Safeguards shouldbe implemented & checked regularly to insure our safety. Caifor-nia would be the exception.

  30. If we signed up for informed Delivery in early November, has my data been compromised? Should I opt out?

Leave a comment