Asda website bug left millions of customers at risk of hacking

News
19 Jan, 2016

Supermarket retailer says security hole has been fixed, with no hacking victims

A fault on Asda’s website could have exposed millions of customer records and payment details to potential hackers, a security researcher has revealed.

Paul Moore first contacted the supermarket giant about the flaw that allows an attacker to swiftly collect personal information and full payment details back in March 2014.

Asda, whose Walmart-ran website gets 90 million visits a year according to digital marketing firm Code Computer Love,  promised a fix would be ready “in the next few weeks”.

But since then Moore claimed that little has changed - sharing a tweet from Asda a few days ago that claimed its websites were secure, though Asda claimed it has now fixed the bug.

Moore yesterday uploaded a blog post detailing the fault with Asda’s website, which is run by US owner Walmart, saying it relates to cross-site request forgery (CSRF) and cross-site scripting (XSS).

Effectively, the flaws mean that anyone logged into the Asda site, who also has another malware-infected page open, would be vulnerable to hackers.

An Asda spokesman told IT Pro: “Asda and Walmart take the security of our websites very seriously.  We are aware of the issue and have implemented changes to improve the security on our website.”

While Asda said no customers have been exploited, the researcher directed attention to a tweet from an Asda customer who claimed that their account had been hacked in June 2014.

And he said that millions of transactions will have taken place since he first notified the supermarket chain of its security hole, while the main CSRF- and XSS-related error weren’t the only issues that Moore spotted on Asda’s website.

He also pointed out that it does not enforce SSL/TLS protocols, common forms of website security that other popular online retailers and social networking sites use, to ensure a secure connection between the server and its customers.

Moore said: "Asda/Walmart have had ample opportunity to fix these issues and have failed to do so. If you must continue shopping with Asda, open a private window and do not open any other tabs or windows until you've logged out."

IT Pro understands that Asda does not believe there is any possibility of a large-scale security breach, and the grocer insisted its website has multiple layers of security.