US Postal Service Slow Security Delivery - Threatwire CrossPost (Patreon)

How long should it take a company to fix a security issue after a researcher has disclosed it to them? In the case of USPS, it took them over a year to fix a pretty serious problem, and it was only fixed after KrebsOnSecurity owner Brian Krebs contacted them this month. The issue was on the USPS.com website, and it would allow anyone with an account to view the account details for any of the other 60 million registered users of the site. They could even modify the users account if they wanted to.

The problem occurred because the USPS has a service called Informed Visibility - usually used to keep businesses in the loop regarding their bulk mail marketing or campaigns so they can see real time tracking data. An authentication weakness within the API would allow any logged in user to query for any other user’s information - be it name, address, email, phone number, user ID, and more. 

Even scarier - all a user would need to do to execute this query is know how to use wildcards with API feature search parameters, which can be viewed and modified by a browser. Nicholas Weaver, researcher at UC Berkeley told Krebs that the API never asked for verification from the user before giving them access to the info. A simple verification set in place could’ve kept this issue from happening.

According to USPS, there is no proof that this was used maliciously. But this could have created  consequences for businesses that use USPS for Informed Visibility, but also for targets of scam artists, phishers, or stalkers.

This isn’t the first issue USPS has had in recent months. Their Informed Delivery consumer feature was being used by identity thieves to steal mail, and a report back in October of 2018 issued by the Office of Inspector General found authentication issues in Informed Visibility not related to this incident.

So, while this problem was fixed, let’s bring it back to the original question. How long should it take for a company to fix an issue after being informed of one? This one took well over a year - not until a notable journalist and security researcher reported the issue did they do something about it. If indeed true - that a security researcher responsibly disclosed the problem and it was ignored - then their handling of responsibly disclosed vulnerabilities should be a top concern.

Support Threatwire on Patreon