(RNN) – It’s fixed now, but the U.S. Postal Service has patched up a security flaw that potentially exposed the data of millions of customers.
The security weakness allowed anyone with an account on usps.com to view the account details for some 60 million other users, according to KrebsOnSecurity. In some cases, they could modify account information too.
The flaw was in the USPS’s Informed Visibility System, which provides “near real-time tracking data,” according to the Postal Service.
The exposed information included email addresses, usernames, user IDs, account numbers, street addresses, phone numbers, authorized users, mailing campaign data and other information.
KrebsOnSecurity said it was contacted last week by a researcher who discovered the problem, but who asked to remain anonymous.
“The researcher said he informed the USPS about his finding more than a year ago yet never received a response,” KrebsOnSecurity reported. “After confirming his findings, this author contacted the USPS, which promptly addressed the issue.”
The USPS added a validation step to prevent unauthorized changes.
The agency said in a statement that there is no evidence the vulnerability was used to exploit customer records.
And while an October audit report from the Office of the Inspector General of the USPS agrees that the Informed Visibility Vulnerability System is generally up to snuff with its website security, it suggested some upgrades.
“Overall, the Postal Service complied with Postal Service security control requirements and industry best practices for the externally-facing and supporting IV servers and databases. However, we identified opportunities to strengthen the systems security posture to reduce the risk to the confidentiality, integrity, and availability of the system.”
Copyright 2018 Raycom News Network. All rights reserved.
