The U.S. Postal service has been caught acting a bit too casually about computer and Internet security. Security blogger Brian Krebs advises that the postal service let a tip about a flaw in its computer-based Informed Visibility mail tracking service go uncorrected for more than a year until Krebs was contacted about it.
“In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers,” Krebs reports, “the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information…
” A cursory review by KrebsOnSecurity indicates the promiscuous API let any user request account changes for any other user, such as email address, phone number or other key details.”
Krebs adds that “In a statement shared with KrebsOnSecurity, the USPS said it currently has no information that this vulnerability was leveraged to exploit customer records, and that the information shared with the USPS allowed it to quickly mitigate the vulnerability.”
But “neither snow nor rain nor gloom of night” etc. should keep the Postal Service from being mindful of Internet vulnerabilities.