Asda online shopping flaw led to data theft and fraud risk
Tue 19 Jan 2016
Walmart-owned Asda Groceries has spent two years skirting around alleged security vulnerabilities on its online platform, according to a UK cyber expert. The retailer has this week acknowledged the bugs which could have handed over control of customer accounts to hackers.
Paul Moore, who discovered the flaws, said that Asda had played down the severity of the risk, which included the potential presence of interlinked cross-site request forgery (CSRF/XSRF) and cross-site scripting (XSS) vulnerabilities, since March 2014 when he first reported it to the company, if not before then. A proof of concept was published in November last year.
According to Moore, there was no XSRF protection on the site, making it possible to remotely hijack any active customer account without knowing the username or password. He added that hackers would have been able to remotely add and remove items from the basket and to direct shipment to an alternative address – increasing the risk of fraud and identity theft.
Moore has been in communication with Asda over the past year. He confirmed that the 40/56bit ciphers from its SSL configuration had been removed, but that all the other raised issued had remained vulnerable, including HTTP sessions, CSRF and XSS, until the beginning of this week.
Asda reportedly made the changes to its site over the weekend but this only blocked the initial vector of the XSRF attack, instead of dealing with the root cause of the issue.
Moore explained that users would have been exposing their accounts to hacking and data theft simply by navigating to another window or tab.
Yesterday Asda stated that it was looking into a fix, commenting that it takes the security of its websites very seriously. “We review our systems and software regularly. The highlighted security issues are being dealt with and there is a very low risk to any customer information.”
Moore responded to the statement arguing that it was “unreasonable” for the retailer to claim that it takes security ‘very seriously’ when its website placed an estimated 19 million transactions at risk over two years.