Asda Website Flaw Exposes Shoppers For Almost Two Years

A security flaw on the website of British supermarket chain Asda gave hackers to collect personal information and payment details from shoppers for almost two years.

The flaw was first spotted by security consultant Paul Moore back in March 2014, who immediately alerted Asda to the security vulnerability. However, Moore said Asda did not take action until just this week, when he made the flaw public.

Asda has said that the flaw is now fixed, and no customers were affected.

An Asda spokesperson said that “multiple layers of security [are] in place on our grocery website”, and that Asda had “implemented a number of changes to our website to improve customer security”.

Compromised

The spokesperson also said that there was no knowledge of any customer information having been compromised during the time period the flaw was open.

“We also believe that there is no prospect of a scale security breach,” the spokesperson said. “Asda and Walmart take the security of our websites very seriously.

Moore went public with information about the vulnerability on Monday 18th January, and said that after initially making Asda aware of the flaw “little appears to have changed”.

On his blog, he claimed that hackers could access customer details by using a combination of cross-site scripting (XSS) and cross-site request forgery (CSRF).

Ross Brewer, managing director for international markets at security firm LogRhythm, commented on the flaw:

“We may have all hoped that 2016 would be the year that companies would finally learn the IT security lesson. Sadly, we are a just couple of weeks in and this already doesn’t seem to be the case.

“With no XSRF protection throughout the site, these vulnerabilities could have potential long-term consequences for both Asda and its customers. This flaw not only provides an opportunity for hackers to access payment data – albeit a slim one – but it enables them to activate customers’ accounts without knowing their username or password.

Moore pointed to data that showed Asda processed more than 200,000 online orders each week in the second quarter of 2014, meaning that for the length of time the website has been exploitable, more than 19 million transactions have occurred.

“I’m not aware of any evidence suggesting these exploits are being used in the wild,” wrote Moore. However, Moore did show tweets from Asda shoppers who claimed to have been hacked.

“Unfortunately, it’s difficult to know if your details have been stolen unless the attacker uses the information very shortly after the breach occurs, such that it’s reasonable to assume a link between the two,” wrote Moore.

“However, ASDA may be able to shed further light on anyone affected by this, or any other exploit.”

For now, Moore suggested that the best way to keep safe is “simply to shop elsewhere”.

“ASDA/Walmart have had ample opportunity to fix these issues and have failed to do so. If you must continue shopping with ASDA, open a “private” / “incognito” window and do not open any other tabs/windows until you’ve logged out,” he wrote.

TechWeekEurope has contacted Asda for further information.

Take our data breaches of 2015 quiz here!

Ben Sullivan

Ben covers web and technology giants such as Google, Amazon, and Microsoft and their impact on the cloud computing industry, whilst also writing about data centre players and their increasing importance in Europe. He also covers future technologies such as drones, aerospace, science, and the effect of technology on the environment.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago