EXECUTIVE SUMMARY:

In the past month, hackers exploited online delivery-tracking with postal services in the United States (US) and Canada.

In the US, the information of more than 60 million people was exposed due to a broken API tied to a service that lets commercial entities track packages and data, according to KrebsOnSecurity. What makes this situation even more unfortunate is that it has been flagged as an incident waiting to happen.

More than a year ago, KrebsOnSecurity predicted the possibility that Informed Delivery would be abused by hackers. Krebs advised the United States Postal Service (USPS) to ‘beef up’ security for the service and to make it easier for people to opt out. Fast forward to this past month, when he reported that the US Secret Service was warning that its field offices were seeing evidence that hackers were taking advantage of Informed Delivery to commit identity theft and credit card fraud.

One of the original issues Krebs pointed to was that USPS didn’t even use its own mail service to validate and notify residents when someone at their address signed up for Informed Delivery. However, earlier this year, the USPS did fix that issue. According to Krebs, though, the hackers were one or two steps ahead.

“It appears that ID thieves have figured out ways to hijack identities and order new credit cards in victims’ names before the USPS can send their notification — possibly by waiting until the cards are already approved and ordered before signing up for Informed Delivery in the victim’s name,” wrote Krebs, in early November.

Now fast forward again, to just over a week ago. Krebs reported that an anonymous researcher had discovered that an API connected with Informed Visibility (a commercial service that lets businesses, advertisers, and bulk mail senders access near real-time tracking data) had a significant vulnerability. Krebs describes Informed Visibility as the ‘sister initiative’ to the aforementioned Informed Delivery service.

Krebs reports, “In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers, the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.” Because of the lack of access control, the data of 60 million users was exposed.

Around the same time, elsewhere, the Canadian postal service discovered that cybercriminals had exploited its online delivery tracking tool, as well. Hackers were able to “steal information on 4,500 people ordering weed from a new legal dispensary in Ontario,” according to a consumer news site.

Krebs believes the API vulnerability associated with Informed Visibility affected all usps.com users, including about 13 million Informed Delivery users. While the anonymous researcher who discovered the issue had notified USPS a year ago, it was not addressed until Krebs recently reached out.

Get the full story at KrebsOnSecurity.