Security Affairs
U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|GodDamn Ransomware Uses PoisonX to Blind Security Software|AssuranceAmerica Breach Exposes 7 Million Driver’s Licenses After Employee Account Hack|Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656)|Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes|U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|GodDamn Ransomware Uses PoisonX to Blind Security Software|AssuranceAmerica Breach Exposes 7 Million Driver’s Licenses After Employee Account Hack|Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656)|Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A flaw in US Postal Service website exposed data on 60 Million Users

US Postal Service has patched a critical bug that allowed anyone who has an account at usps.com to view and modify account details for other users US Postal Service has patched a critical bug that allowed anyone who has an account at usps.com to view and modify account details for other users, some 60 million users were affected. The news was […]

US Postal Service

US Postal Service has patched a critical bug that allowed anyone who has an account at usps.com to view and modify account details for other users

US Postal Service has patched a critical bug that allowed anyone who has an account at usps.com to view and modify account details for other users, some 60 million users were affected.

The news was first reported by the popular investigator Brian Krebs who was contacted by a researcher who discovered the issue.

The researchers, who asked to remain anonymous, reported the flaw to the USPS more than a year ago, but the company ignored him. After the public disclosure of the issue, USPS fixed the issue.

The problem resides in the USPS Informed Visibility API designed to to let businesses, advertisers and other bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages.

“In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers, the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.” reads the post on KrebsonSecurity blog.

“Many of the API’s features accepted “wildcard” search parameters, meaning they could be made to return all records for a given data set without the need to search for specific terms.”

The researcher discovered that using the API to search for one specific data element (i.e. an address) it was possible to retrieve multiple accounts that shared the data.

“For example, a search on the email addresses for readers who volunteered to help with this research turned up multiple accounts when those users had more than one user signed up at the same physical address.” continues Krebs.

“This is not good,” said one anonymous reader who volunteered to help with this research, after viewing a cut-and-paste of his USPS account details looked up via his email address. “Especially since we moved due to being threatened by a neighbor.”

US Postal Service

USPS implemented a validation step to prevent unauthorized changes with some specific data fields.

When a user attempt to modify the email address associated with a specific USPS account via the API it is prompted a confirmation message sent to the email address tied to that account.

The good news is that it seems that API doesn’t expose USPS account passwords.

“The API at issue resides here; a copy of the API prior to its modification on Nov. 20 by the USPS is available here as a text file.” continues Krebs.

Such kind of flaws is very dangerous, spammers could abuse them to several malicious purposes, including phishing campaigns.

Krebs also pointed out that a vulnerability assessment of Informed Visibility was published in October 2018 by the USPS’s Office of Inspector General (OIG).

Auditors discovered several authentication and encryption flaws that evidently were underestimated.

“The USPS told the OIG it had addressed the authentication problems raised in the audit report, which appear to have been related to how data was encrypted in transit.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Hacking, US Postal Service)

[adrotate banner=”5″]

[adrotate banner=”13″]