Submitted via IRC for SoyCow1984
USPS Site Exposed Data on 60 Million Users — Krebs on Security
[...] The API in question was tied to a Postal Service initiative called “Informed Visibility,” which according to the USPS is designed to let businesses, advertisers and other bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages.
In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers, the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.
Many of the API’s features accepted “wildcard” search parameters, meaning they could be made to return all records for a given data set without the need to search for specific terms. No special hacking tools were needed to pull this data, other than knowledge of how to view and modify data elements processed by a regular Web browser like Chrome or Firefox.
(Score: 2) by drussell on Saturday November 24 2018, @12:24PM
:facepalm:
(Score: 2) by RandomFactor on Saturday November 24 2018, @03:23PM (1 child)
The use of '*' and '?' are now illegal and punishable by up 10 years in prison per offense. First time offenders are expected to be given community service for the first six months after the new law goes into effect. Dell and most other keyboard manufacturers immediately lauded the move as improving the overall security of the internet and will begin building keyboards without those characters immediately. IBM complained that this move devalued good will it had built many decades previously in designing early mainframe and PC keyboards.
В «Правде» нет известий, в «Известиях» нет правды
(Score: 0) by Anonymous Coward on Saturday November 24 2018, @10:12PM
Oh shit. Now I have to change all my passwords!