A researcher contacted the USPS about the issue last year, it wasn’t until they went to the press that the postal service responded
The US Postal Service left over 60-million people’s data exposed for over a year after it failed to heed the warnings of a researcher. And while the USPS data leak itself is significant, it’s the Postal Service’s lack of response to the issue that’s really cause for alarm.
After all, the USPS is an apparatus of the federal government and obstructing its work is a federal crime. So, the fact that you can hypothetically go to jail simply for intercepting a letter but the agency itself felt no sense of urgency to fix an exploit that exposed personal information for millions of people is… problematic.
Today we’re going to talk about the US Postal Service, the exploit that left millions of users’ data exposed and how the USPS handled the disclosure – a.k.a. what not to do when handling a disclosure.
Let’s hash it out.
More than you probably cared to know about the US Postal Service
The US Postal Service is still extremely important. Sure, its halcyon days are long beyond it as email is now ubiquitous, but the USPS is one of the oldest and most storied agencies in the United States government. Though there were precursors to the US postal service in the various colonies prior to the American revolution, the USPS officially came to be during the second session of the continental congress where it was briefly headed by Benjamin Franklin.
The US Postal Service is one of the few government agencies explicitly authorized in the constitution. As we mentioned tampering with the mail is a federal offense. Willfully delivered US mail can be used to prove residency at a specific address. And as we saw in the landmark case New York v. Kringle, the postal service can even legally affirm identity (that’s a Miracle on 34th St. joke – so don’t quote me on that last one).
The point I’m rather clumsily making is that the US Postal Service is a big deal. It’s not just important from a civilian standpoint, the USPS is one of the agencies that helps government business continue to function. Ergo, it’s critical to secure it and ensure that any data it’s processing is being safeguarded. It doesn’t take a lot of imagination to figure out just how dangerous a true breach of the US Postal System could be for the USA.
That’s why the agency’s handling of this exploit is so troubling. Things break on the internet, it’s a fact of life. But failing to respond to an identified vulnerability until the press shines a light on it betrays the lack of seriousness the USPS must regard these kinds of threats with.
What happened with the USPS exploit?
The issue stems from the Application Program Interface (API) the US Postal Service was using for its “Informed Visibility” initiative, which is essentially a real-time analytics program for organizations that send mail in bulk.
Essentially, via this API it’s possible to get real-time information about mail and packages in-transit/on-arrival, plus – via this exploit – it was possible to query the database and harvest account details from other users like:
- Email Addresses
- User Names
- User IDs
- Account Numbers
- Phone Numbers
- Affiliated Users
- Mailing Campaign Data
And really anything else that an attacker would be creative enough to query for. That’s owing to the fact that the API was configured to allow for Wildcard search parameters without restrictions on permissions.
Think of a Wildcard search as more of an open-ended query that can return all data from a given set. That can seem a little abstract so let’s get a little more specific. In the SSL/TLS certificate game, a Wildcard SSL certificate is one that uses an asterisk as a placeholder on a specific sub-domain level so that all the containers at that level of the domain can be configured for HTTPS.
So, for instance, you would list *.thesslstore.com on the CSR, and any sub-domain that appears at the domain level with the asterisk can use that SSL/TLS certificate.
Now let’s apply that same concept to querying a database. Rather than search for a specific record, you could simply use an asterisk in the query and find all of the records that share a common directory or extension. For instance, on a poorly configured database you could potentially query for:
Now, any file with the .docx (Word) extension will show up in the results for the query.
In the case of the US Postal Service exploit, an attacker could couple wildcard queries with information that was already exposed and slowly harvest large quantities of data as they continue to poke around on the API.
How not to respond to an exploit
Where the US Postal Service needs to have a difficult discussion is in regard to its response to this situation. Like we discussed, exploits happen. At this point, 60 million records being exposed is barely news. People have become numb to it. One study found two out of three respondents felt that the convenience of online shopping far outweighed the risk of a data breach.
But ignoring a legitimate warning for more than a year and allowing your inaction to amplify the threat to your users reaches an Equifax-level of negligence. Compounding this even more is the fact that this is a government agency, and plays into a larger pattern where the US federal government seems incapable or unwilling to secure its cyber assets.
This issue was originally brought to the attention of the US Postal service in 2017. Last week, the researcher that alerted the USPS must have finally gotten frustrated with its lack of action – the researcher has chosen to stay anonymous – and went to the media. Specifically, Brian Krebs, a former Washington Post tech reporter and investigator that now runs the eponymous Krebs on Security website.
Within about 48 hours of Krebs poking around, the USPS finally did something about its exploit.
“Computer networks are constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information,” wrote the USPS in a statement shared with Krebs. “Similar to other companies, the Postal Service’s Information Security program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity.”
“Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously. Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”
As recently as October of 2018 the Office of the Inspector General had audited the US Postal Service, finding a number of issues with the agency’s authentication and encryption implementations. However, no mention of this particular exploit was ever made. That’s even more troubling because of what a basic mistake this is.
“This is not even Information Security 101, this is Information Security 1, which is to implement access control,” Nicholas Weaver, a researcher and lecturer at UC Berkeley told Krebs. “It seems like the only access control they had in place was that you were logged in at all. And if you can access other peoples’ data because they aren’t enforcing access controls on reading that data, it’s catastrophically bad and I’m willing to bet they’re not enforcing controls on writing to that data as well.”
Again, that’s egregious. But ignoring the initial warning for more than a year is what really merits criticism.
You should probably listen to those pesky security researchers
Owing to the very nature of the job a lot of security researchers are absolutely insufferable. Not all of them are (certainly nobody that reads Hashed Out), but if we’re really being honest a lot of them are still working through the angst-filled malaise of their teenage years and taking it out on the rest of us.
Add that to the fact that this is one of the only jobs where you’re rewarded for breaking things and then showing people how you did it and it’s kind of surprising they’re not held in the same esteem as job classes like personal injury attorneys and IRS agents.
But, what these researchers do is useful. Exceedingly so. So as much as you may have the urge to thrash someone for pointing out that your API can be manipulated to belch up your customers’ account data—you should really listen.
Sure, maybe the person reporting the problem really is a crackpot and you’re going to send your security team on a pointless goose chase for the morning. But far more often they’re right. And you’ve got a problem.
This is the epitome of don’t shoot the messenger—pimply and petulant though they may be.
Otherwise you wind up with situations where vulnerabilities are left unfixed for unacceptable periods of time. And that’s how people get fired. The USPS claims that this vulnerability was never exploited, but considering it was exposed for over a year – there’s no knowing for sure.
As always, leave any comments or questions below…