Does this site look plain?

This site uses advanced css techniques

Unixwiz.net Security Advisory

USPS Information Disclosure Vulnerability

• Home
• Contact
• About
• TechTips
• Tools&Source
• Evo Payroll
• CmdLetters
• Research
• AT&T 3B2
• Advisories
• News/Pubs
• Literacy
• Calif.Voting
• Personal
• Tech Blog
• Evo Blog

Advisory: Unixwiz-2005-01

Date: 1 April 2005

CVE: Applied for

Vulnerability

The United States Postal Service (USPS) has offered a message-delivery service for at least 200 years, with varying levels of cost and reliability.

When a message is introduced for delivery, it also contains addressing information ("the envelope") used for routing, and it travels with the message until it reaches the destination or is returned as undeliverable.

However, due to the poor design of this protocol, the recipient's name and physical address are fully exposed in cleartext during transit, revealing Personally Identifiable Information (PII). The recipient has no control over this exposure, nor is this policy of disclosure revealed by the vendor.

The sender's Personally Identifiable Information may also be exposed, though we believe it can be spoofed.

Impact

This vulnerability is very pervasive and appears to have been present for a very long time. This makes it difficult to enumerate fully its impact, but we can touch on a few points that come to mind:

• This Personally Identifiable Information can be observed anywhere during transit, and the impact varies with the degree to which the sender and/or recipient consider it sensitive. Most businesses (and some individuals) are comfortable with open disclosure, while others treat it as confidential information.
• Traffic analysis, the observation of sender/recipient relationships, may very well reveal associations that one might wish be kept private even if the underlying message is not revealed.
• We believe that man-in-the-middle attacks are a real possibility, allowing one to intercept and replace the contents of a message in transit.

Mitigations

The design of the protocol makes mitigation somewhat difficult, but a few workarounds are available.

For the sender - Simply refrain from providing this Personally Identifiable Information when queuing a message. This will, however, impair the availability of non-delivery reports.

Furthermore, the sender can resort to alternate delivery vehicles, such as facsimile, which presents much lower risk of in-transit information disclosure for both sender and receipient.

For the Recipient - There is no recourse if the sender chooses to expose your Personally Identifiable Information on a message, your having no control over the message during transit. However, one can use a proxy service (a "post office box") to hide the ultimate delivery location, and provide the proxy address to untrusted senders. Vendors such as Mail Boxes Etc. offer such services at extra cost.

Additional research

We believe that one of USPS's lower-cost services further exposes the contents of the message itself in cleartext during transit, but we have not yet fully researched this aspect.

Furthermore, we strongly believe that other services, such as those provided by FedEx, Canada Post or Germany's Deutsche Post may also be subject to this vulnerability.

Vendor notification

The vendor (USPS) was notified, but no reply has been received; any number of reasons (snow, rain, dark of night) could explain this.