URL vulnerability forces Australia Post service offline

The need to patch a security issue had forced Australia Post to take its Click and Send service offline today.

Australia Post took its Click and Send service down today for several hours to rectify a security issue at the national postal service.

It replaced the website for the service with a notice that said it had been temporarily suspended due to a "system error."

"The site has been temporarily deactivated, as our team works to ensure the security of the system for all customers," it read during the outage.

The service allows customers to prepare all the necessary documentation to have parcels sent through the mail, such as printing labels, booking a courier, and managing different addresses for items.

Australia Post's Click and Send site at the time of the outage. (Screenshot by Michael Lee/ZDNet)

The outage came as News Limited reported that one customer, Trent Bourne, had attempted to inform Australia Post of a vulnerability in its automated system used to create labels, for customers to print and stick on parcels. By changing the URL, an attacker could potentially view the invoices for other customers, including their names and addresses.

News Limited claimed that these invoices contained enough information to allow an attacker to access credit card information within user accounts, but Australia Post denies that this information was accessible.

"Australia Post would like to reassure Click and Send customers that at no stage were their financial details compromised."

It is alleged that Bourne, who discovered the vulnerability, attempted to inform Australia Post three times and was ignored, but Australia Post is adamant that they were never contacted prior to a Bourne's concerns on September 30, and that despite a search of its system, it can find no correspondence from Bourne.

In a public Twitter conversation between @auspost and @Trent_Bourne, an Australia Post representative responds to Bourne's enquiry on who a complaint should be sent to, providing him a link to Australia Post's contact form. Bourne stated that doing so could take 7-11 business days, all while information continues to leak, but when the representative offered to look into the issue themself, Bourne refused to provide the information, stating that Australia Post would "fix it before I have time to refer it to the [Office of the Australian Information Commissioner]."

Australia Post said that it had informed the Information Commissioner first thing this morning.

The security issue has now been rectified and the service is back online.