Just in time for the holiday shopping season, it appears the US Postal Service has fixed a security flaw that allowed all USPS.com account holders, some 60 million people, to see personal details of fellow users.
Cybersecurity expert Brian Krebs on Wednesday wrote about the bug, noting that he was contacted last week by a researcher who asked to remain anonymous. The researcher reportedly informed USPS about his findings more than a year ago, but never received a response, Krebs said. Krebs then confirmed the researcher’s findings and contacted the USPS, “which promptly addressed the issue.”
USPS representatives didn’t immediately respond to a request for confirmation and comment on Thanksgiving Day.
Krebs said the flaw stemmed from an authentication weakness in an application program interface, or API, tied to its Informed Visibility program, which lets users receive a scan of all incoming mail before it’s delivered to their address. That program was the subject of a US Secret Service advisory Krebs tracked down earlier this month
The latest bug let any logged-in USPS.com users “query the system for account details belonging to any other users,” including email addresses, usernames, user IDs, street address, phone numbers and more, Krebs said.