Researchers have revealed details on the U.S. Postal Service (USPS) fixing a security weakness that allowed anyone who has an account at usps.com to view account details for roughly 60 million other users and in some cases to modify account details on their behalf.
The problem stemmed from an authentication weakness in a USPS Web component known as an “application program interface,” or API — a set of tools defining how various parts of an online application such as databases and Web pages should interact with one another.
Commenting on the news are the following security professionals:
Paul Bischoff, Privacy Advocate at Comparitech:
“APIs can be a very effective way for a business to allow third parties to build useful tools and applications around that business’ data, but they must be properly secured. In this case, basic access controls were not properly implemented, so anyone logged into a USPS account could, with a bit of know-how, access the details of 60 million other account holders. Furthermore, they could request changes be made to those accounts, although those changes required confirmation via email. While we’re not sure whether anyone actually took advantage of the vulnerability, it did reportedly exist for a whole year, so we should assume the worst. Informed Visibility, a USPS program tied to the API intended to be used for advanced parcel tracking, has had other security incidents in the past, so it was likely already a target for hackers.”
Mayur Upadhyaya, Managing Director, EMEA at Janrain:
“Exposing APIs can create security risks, and as such, do require a level of additional diligence. One of the challenges faced by many IT landscapes is enhancing legacy systems with additional capabilities to enable the sort of digital services that the USPS strived to deliver to its consumers. There will always be a trade-off between turn-key/off the shelf as a service software, that should provide a higher level of assurance over DIY/homegrown software, and the flexibility that organisations are seeking. Going forward, I believe we will see a greater trend to bolt-on assurance services such as API gateways and web application firewalls that can check the requesting party is authenticated and authorised to make the API call.”
Tim Mackey, Senior Technical Evangelist at Synopsys:
“With applications increasingly dependent upon third party APIs, this report highlights the risks organisations have without proper vetting of the services. Understanding the data transmitted to an API and a method to validate the sanity of the returned data should be part of the review process in all development and procurement teams. Armed with this information, API consumers can then monitor for any security disclosures associated with their API usage. When you consider the US Senate Commerce Committee is hearing briefs on a national data protection law similar to CCPA and GDPR, organisations should view tracking of API dependencies as a core strategy in reducing risks associated with potential data breaches.”
Martin Jartelius, CSO at Outpost24:
“These flaws are very common, and even more so today as APIs and modularization becomes more common and well established.
When building an API or a module in a service oriented infrastructure, each module or API must enforce authentication and authorization, either themselves or preferably by calling a centralized well defined module for this purpose.
As technical scanners have become more accurate, and as developers are more aware of security, or more inclined to use well established functions to manage secure inputs into application, attacks such as SQL injections are decreasing in frequency. However, logical issues remain not only at the same level as previously, but at an alarming rate more, a trend we have been picking up on from the rather a substantial base of clients for whom we monitor and test web application security.”
