Subscribe to the Salt blog to learn about the latest developments in API Security

Blog Post

Lessons Learned — USPS API Vulnerability and 60 Million Exposed Users

Chris WestphalChris Westphal
Nov 28, 2018

By now you’ve probably seen the news about the USPS vulnerability where an attacker with simple access to usps.com, an understanding of the API logic and no special tools beyond a common web browser could easily manipulate that logic to get a dump of data. This dump could include account details like usernames/IDs, email addresses, account numbers, street addresses, phone numbers and a slew of other sensitive PII. It was a flaw in the API logic of the Informed Visibility USPS service that potentially exposed this data for over 60 million customers. Exploitation of the flaw in this case is not far fetched but luckily didn’t happen as far as we know.

This is another example of the research community working hard to call attention to the increasingly potential risk in insecure APIs and the need for focus on API protection. A year after the original disclosure to USPS it wasn’t until Brian Krebs called it to their attention that USPS ultimately addressed the issue. You can read more details about the vulnerability in Kreb’s article — USPS Site Exposed Data on 60 Million Users.

Get the latest API Security report and see how you compare

While APIs have become an easy way for developers to build, extend and connect applications they’ve  also become an increasing target for attackers. These types of API logic based vulnerabilities have become far too common in recent years. Many of the high profile breaches like those at T-Mobile, Facebook and Verizon have had a component of API as part of the attack path. Some, like the breach at Panera Bread had the vulnerability disclosed but left unaddressed until it was too late. It’s time to take API protection seriously.

What have we learned? API vulnerabilities are a real threat to organizations especially when customer information or other valuable data is at stake. Disclosures like these need to be taken seriously and should not be ignored for so long after disclosure. Reliance on traditional security approaches won’t keep up with this trend of API logic based attacks since these solutions have no insights into the unique logic of the APIs where attackers focus. A proactive approach to API protection must include granular knowledge of your unique APIs and an understanding of normal API behaviour in order to detect potential vulnerabilities and prevent successful attacks.

To learn more about how Salt can help defend your organization from API risks, you can connect with a rep or schedule a personalized demo.

Tags

Salt Security Blog

Sign up for the Salt Newsletter for the latest resources and blog posts.

July 16, 2024

Eric Schwake
Head of Product Marketing

Industry

The Biggest Factors Influencing API Security Today

Several key factors are driving the current state of API security, including the rise of AI, the ongoing digital transformation, a booming app economy, and the challenges posed by shadow IT and regulatory compliance.

Read more

July 9, 2024

Eric Schwake
Head of Product Marketing

Product

Salt Security Empowers API Governance with New Posture Policies Hub

Salt Security's Posture Policies Hub is a powerful new tool designed to help organizations simplify and streamline API posture governance.

Read more

June 21, 2024

Amanda Fitzsimmons
Head of Legal

Industry

Don't Get Salted: Why API Inventory is Key to PCI DSS 4.0 Compliance (and How Salt Security Can Help You Achieve It)

A secure API ecosystem starts with a clear understanding of what APIs you have and how they interact with your data.

Read more

Download this guide for advice on evaluating key capabilities in API Security

Get the guide
Back