Alibaba Group Holding Ltd. has patched a major vulnerability in one of its e-commerce portals that exposed tens of millions of users to possible account theft or worse. Almost as alarming as the magnitude of the threat, which was successfully averted, is the ease with which a keen-eyed cybercriminal could have exploited the flaw to compromise the world’s largest e-commerce company.

Amitay Dan of AppSec Labs Ltd. stumbled upon the bug after beginning the registration process for AliExpress, the Chinese retail giant’s fast-growing business-to-consumer wholesale marketplace, and becoming suspicious of where his personal information will end up. The security researcher acted on his professional intuition and soon found that the website harbored a simple but potentially catastrophic vulnerability.

When a user clicks to view or update shipping information on AliExpress, they are redirected to a link that’s generated based on their pre-assigned identification number. Dan quickly noticed that the system accepted the same URL with a different code, which allowed him to gain complete access to the accounts of other customers. Compromising the entire user base would have simply been a matter of creating a script to scroll through every increment in the link’s “mailingAddressId” parameter.

If criminals had spotted the flaw first, they could have unleashed a massive phishing attack against shoppers spanning the more than 200 countries where the service is used. But it got worse. Building on the initial discovery, a colleague of Dan at AppSec Lab found that the vulnerability not only affected buyers but merchants as well, who were at risk of hackers stealing banking information or lowering prices to commit fraudulent transactions.

After several days of wrangling with the researchers, Alibaba acknowledged the bug and rolled out a fix. But although the matter was resolved before any damage could be done (save some negative publicity for the company,) Alibaba’s slow response is raising questions about its ability to quickly address a crisis.

That’s a lesson SAP SE should carefully consider as it prepares to take on Alibaba with its own trade portal.

Photo via Pixabay