Subscribe to the Salt blog to learn about the latest developments in API Security

Blog Post

Technical

Lessons Learned — USPS API Vulnerability and 60 Million Exposed Users

Chris WestphalChris Westphal
Nov 28, 2018

By now you’ve probably seen the news about the USPS vulnerability where an attacker with simple access to usps.com, an understanding of the API logic and no special tools beyond a common web browser could easily manipulate that logic to get a dump of data. This dump could include account details like usernames/IDs, email addresses, account numbers, street addresses, phone numbers and a slew of other sensitive PII. It was a flaw in the API logic of the Informed Visibility USPS service that potentially exposed this data for over 60 million customers. Exploitation of the flaw in this case is not far fetched but luckily didn’t happen as far as we know.

This is another example of the research community working hard to call attention to the increasingly potential risk in insecure APIs and the need for focus on API protection. A year after the original disclosure to USPS it wasn’t until Brian Krebs called it to their attention that USPS ultimately addressed the issue. You can read more details about the vulnerability in Kreb’s article — USPS Site Exposed Data on 60 Million Users.

Get the latest API Security report and see how you compare

While APIs have become an easy way for developers to build, extend and connect applications they’ve  also become an increasing target for attackers. These types of API logic based vulnerabilities have become far too common in recent years. Many of the high profile breaches like those at T-Mobile, Facebook and Verizon have had a component of API as part of the attack path. Some, like the breach at Panera Bread had the vulnerability disclosed but left unaddressed until it was too late. It’s time to take API protection seriously.

What have we learned? API vulnerabilities are a real threat to organizations especially when customer information or other valuable data is at stake. Disclosures like these need to be taken seriously and should not be ignored for so long after disclosure. Reliance on traditional security approaches won’t keep up with this trend of API logic based attacks since these solutions have no insights into the unique logic of the APIs where attackers focus. A proactive approach to API protection must include granular knowledge of your unique APIs and an understanding of normal API behaviour in order to detect potential vulnerabilities and prevent successful attacks.

To learn more about how Salt can help defend your organization from API risks, you can connect with a rep or schedule a personalized demo.

Tags

Salt Security Blog

Sign up for the Salt Newsletter for the latest resources and blog posts.

October 31, 2024

Alexandria Nicosia
Social Media Manager

Industry

Securing APIs in Retail: Safeguarding Customer Data

In the fast-paced retail industry, where customer trust and data protection are critical, API security must be a top priority to ensure both reliability and a seamless customer experience, confidence, and trust in digital services.

Read more

October 30, 2024

Eric Schwake
Head of Product Marketing

Customer

Salt Security and Dazz: A Powerful Partnership for API Security

Integrating Salt Security and Dazz provides a robust solution for organizations aiming to enhance their API and application security.

Read more

October 29, 2024

Eric Schwake
Head of Product Marketing

Industry

Lessons from the Cisco Data Breach—The Importance of Comprehensive API Security

In the wake of Cisco’s recent data breach involving exposed API tokens - amongst other sensitive information - the cybersecurity community is reminded once again of the significant risks associated with unsecured APIs.

Read more

Download this guide for advice on evaluating key capabilities in API Security

Get the guide
Back