Welcome
About
News
Anonymous Reporting
Tools
MCA Chatter
Library
V-ID Terminal
Support
My Account

News

Icon representing US Coast Guard Bulletin: Cyber Adversaries Targeting Commercial Vessels
US Coast Guard Bulletin: Cyber Adversaries Targeting Commercial Vessels

June 21st 2019
Icon representing Would you pay $1m for a laptop full of malware?
Would you pay $1m for a laptop full of malware?

May 23rd 2019
Icon representing Singapore Opens Maritime Cybersecurity Operations Centre (MSOC)
Singapore Opens Maritime Cybersecurity Operations Centre (MSOC)

May 22nd 2019
 
 
 

US Postal Service Exposes 60 Million Users in API Snafu

 
November 22nd 2018
The US Postal Service (USPS) is in the dock after an apparent API vulnerability exposed the account details of 60 million users of its online service.

The issue related to a service known as “Informed Visibility” which USPS offered to businesses, allowing them to access near real-time tracking data on packages. However, along with this data, the related API also allowed anyone logged in to USPS.com to query the account details of other users of the site and even modify some details.

These included email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and more, according to Brian Krebs.

It appears as if the developers forgot a key element of cybersecurity when designing the API: access controls.

USPS claimed in a statement that the incident has now been mitigated and that it has no information that it was used in any criminal endeavor.

“Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously,” it continued. “Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”

With APIs becoming increasingly popular, security concerns have started to emerge. An Imperva poll earlier this year claimed 69% of firms are exposing APIs to the public and their partners, managing 363 on average per organization.

Tim Mackey, senior technology evangelist at Synopsys, said organizations should view tracking of API dependencies as a core risk reduction strategy.

“Understanding the data transmitted to an API and a method to validate the sanity of the returned data should be part of the review process in all development and procurement teams,” he added. “Armed with this information, API consumers can then monitor for any security disclosures associated with their API usage.”

Bernard Harguindeguy, CTO of Ping Identity, added that the USPS snafu should be a wake-up call for developers.

“Effective API security starts with deep visibility into all API traffic, followed by strong authentication and data governance,” he argued. “Companies' crown jewels — their customers' data — are increasingly being made accessible via APIs, and protecting this infrastructure from vulnerabilities and cyber-attacks has to be the top priority for CISOs and CIOs everywhere."

Source

Keywords