Australia Post had withdrawn its Click and Send online service after a security flaw was uncovered that could expose the details of random customers.
News.com.au reported the insecure direct object reference vulnerability, which allegedly enabled users to expose others' details by altering a shipping ID number that appeared in the URL of a completed transaction.
Click and Send could be used to prepare postage documentation online, such as customs declaration forms, and pre-pay postage.
The service was particularly targeted at eBay customers, streamlining the way they sent items they had sold on the auction site.
Australia Post said in a statement that Click and Send had been "temporarily suspended due to a system error".
The service, which is now restored, was initially re-activated with another flaw that allowed customer names to be viewed, news.com.au reported.
A system administrator tipped off News Limited to the flaw after he allegedly reported it three times to Australia Post.
The organisation did not appear to have a formal information security reporting structure.
_(33).jpg&h=140&w=231&c=1&s=0)
_(37).jpg&h=140&w=231&c=1&s=0)
iTnews Cloud Covered Breakfast Summit
Live & Hands On Demo: Navigating the BMC AMI DevX Platform to Understand Code Faster Using AI
Melbourne Cloud & Datacenter Convention 2026
iTnews Executive Retreat - Data & AI Edition
The 2026 iAwards
.jpg&h=271&w=480&c=1&s=1)
_(1).jpg&h=140&w=231&c=1&s=0)
