Breach Brief – Amazon, USPS
Amazon, the world’s largest retailer, is quietly notifying its customers of a data breach by sending the affected account holders an email. Amazon officials admit to the data breach but are keeping extremely closed mouth about the details.
The email, sent out Wednesday, offers no details as to how long customers’ personal information was exposed or where inside Amazon’s vast network the breach took place. It’s also devoid of any information regarding the number of customers impacted, geographic location, specific purchase, or any information that would concern their millions of customers.
Below is the full text of the Amazon email.
Sent: 21 November 2018 10:53
Subject: Important Information about your Amazon.com Account
We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.
An Amazon representative declined to offer any additional information regarding the breach except to say “We have fixed the issue and informed customers who may have been impacted.” However Amazon does give a way a simple yet vital indicator that the breach was more an internal error than an outside attack. The email clearly states, in the final sentence, that you need not change your password or take any action. That’s Amazon for “my bad!”
United States Postal Service
A much more severe breach occurred at the post office website. The U.S. Postal Service repaired a security flaw that permitted any USPS.com account holder to view account details for some 60 million other users. To make matters worse, in some cases an account holder could actually modify account details. And this existed for more than a year after the Postal Service was reportedly informed of it.
The issue came to light when an anonymous researcher reported the discovery to KrebsOnSecurity.com. The researcher claimed he had notified the Postal Service more than a year ago got no response and and nothing was done. Krebs contacted the USPS once the findings were confirmed resulting in immediate action.
The problem was caused by a authentication weakness in a USPS Web component known as an “application program interface,” or API. The API is basically, a set of tools defining how various parts of an online application such as databases and Web pages should interact with one another. KrebsOnSecurity performed a review of suspect API and discovered that the flaw allow near real-time data about USPS mail and package sent by commercial customers. It also the let any logged-in USPS.com user query the data for account details belonging to any other user. The information exposed include, email addresses, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.
According to some security experts this as a glaring, even juvenile security error on the part of the USPS. According to International Computer Science Institute researcher Nicholas Weaver the API should have confirmed user requesting the data had the proper permissions to access the data.
“This is not even Information Security 101, this is Information Security 1, which is to implement access control,” Weaver said. “It seems like the only access control they had in place was that you were logged in at all. And if you can access other peoples’ data because they aren’t enforcing access controls on reading that data, it’s catastrophically bad and I’m willing to bet they’re not enforcing controls on writing to that data as well.”