Australia Post customers exposed in direct object reference flaw

Australia Post had withdrawn its Click and Send online service after a security flaw was uncovered that could expose the details of random customers.

News.com.au reported the insecure direct object reference vulnerability, which allegedly enabled users to expose others' details by altering a shipping ID number that appeared in the URL of a completed transaction.

Click and Send could be used to prepare postage documentation online, such as customs declaration forms, and pre-pay postage.

The service was particularly targeted at eBay customers, streamlining the way they sent items they had sold on the auction site.

Australia Post said in a statement that Click and Send had been "temporarily suspended due to a system error".

The service, which is now restored, was initially re-activated with another flaw that allowed customer names to be viewed, news.com.au reported.

A system administrator tipped off News Limited to the flaw after he allegedly reported it three times to Australia Post.

The organisation did not appear to have a formal information security reporting structure.