Data breaches don’t seem to end at all. Another day, another breach!
Recently, the United States Postal Service (USPS) has fixed a critical bug on its official website. The bug was so serious that anyone with a USPS account could see details of some 60 million other users and in some cases, they could even modify the account details.
USPS is an independent agency of the American federal govt. and it is responsible for providing postal service in the nation. Also, it is one of those few govt. agencies that are authorized by the US Constitution.
According to KrebsOnSecurity, a security researcher (who remains anonymous) has already reported about the vulnerability more than a year ago, but he didn’t get any response from USPS. But, last week the researcher reached out to KrebsOnSecurity and it contacted the USPS to address the issue.
Talking about the vulnerability, it was linked with the website’s an authentication weakness in an API. The API was programmed in such a way that accepts any number of "wildcard" search parameters. Therefore, anyone could log in to usps.com to query the system for account details belonging to other users.
Fortunately, the USPS has patched this serious vulnerability and has added a validation step to prevent unauthorized changes.