Australia Post had withdrawn its Click and Send online service after a security flaw was uncovered that could expose the details of random customers.
News.com.au reported the insecure direct object reference vulnerability, which allegedly enabled users to expose others' details by altering a shipping ID number that appeared in the URL of a completed transaction.
Click and Send could be used to prepare postage documentation online, such as customs declaration forms, and pre-pay postage.
The service was particularly targeted at eBay customers, streamlining the way they sent items they had sold on the auction site.
Australia Post said in a statement that Click and Send had been "temporarily suspended due to a system error".
The service, which is now restored, was initially re-activated with another flaw that allowed customer names to be viewed, news.com.au reported.
A system administrator tipped off News Limited to the flaw after he allegedly reported it three times to Australia Post.
The organisation did not appear to have a formal information security reporting structure.
_(20).jpg&h=140&w=231&c=1&s=0)
_(22).jpg&h=140&w=231&c=1&s=0)
_(26).jpg&w=100&c=1&s=0)
iTnews Executive Retreat - Security Leaders Edition
_(1).jpg&h=140&w=231&c=1&s=0)
