11-27-2018, 01:07 AM
USPS, or the United States Postal Service, recently patched a vulnerability that exposed sensitive information belonging to 60 million users.
The vulnerability itself was tied to a weakness in the application programming interface. [API] The API was tied to the "Informed Visibility" program that allows users to track their packages in real time. According to the cyber security researcher [identity as of yet is unknown] the faulty API was programmed to accept any [wildcard] search parameters, this could have allowed anyone logged in to query the system and retrieve the account information of any other user.
What's more is the reaction from USPS regarding the matter. The researcher reportedly found and reported the vulnerability to USPS, who then ignored it and left the hole open to anyone who wanted to appropriate the information. This was until last week, a journalist by the name of Brian Krebs, contacted USPS on behalf of the researcher.
USPS had this to say:
"We currently have no information that this vulnerability was leveraged to exploit customer records."
"Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law."
That was the news, have a good week, and stay safe out there.
----Mad-Architect