UPDATED 14:18 EDT / DECEMBER 16 2015

NEWS

Target botches holiday season cybersecurity, again

Two years and about $300 million in legal costs later, it seems that Target Corp. still hasn’t fully internalized the lessons from the 2013 holiday season breach that saw hackers steal the personal information of more than 40 million of its customers. Avast Software s.r.o. issued a security alert this week warning of a vulnerability in the discount retailer’s wish list app that can be exploited to pull users’ details without so much as having to compromise their mobile devices.

An attacker would simply have to figure out the mathematical formula that the client employes to generate the unique code assigned to each account in order to keep track of customer data. After cracking the pattern, which apparently didn’t take the Avast researchers who discovered the exploit very long, a script can be written to cycle through every possible character combination and incorporate each outputted sequence into a query to the publicly-accessible programming interface of Target’s app.

The antivirus maker was able to exploit the fact that the company neglected to incorporate any sort of authentication mechanism into the service to vet such requests in order to collect a sample dataset of 5,000 accounts for research purposes. The subsequent analysis revealed that the exposed access point makes it possible to retrieve practically all of the information users have provided to Target’s app, including names, email and home addresses, phone numbers and of course, holiday wish lists. The only reason payment details are absent from the data trove is that the client doesn’t require any to be entered during account creation.

The discount retailer has blocked the vulnerable elements in the wake of Avast’s security alert, but that’s not much consolation to the upwards of tens of thousands of consumers who may have downloaded the app since the beginning of the holiday season. Hackers had nearly a month to find and exploit the flaw, which means that there’s a good chance users’ personally identifiable information could soon start surfacing on the black market.

Image via JavadR

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU