Target botches holiday season cybersecurity, again
Two years and about $300 million in legal costs later, it seems that Target Corp. still hasn’t fully internalized the lessons from the 2013 holiday season breach that saw hackers steal the personal information of more than 40 million of its customers. Avast Software s.r.o. issued a security alert this week warning of a vulnerability in the discount retailer’s wish list app that can be exploited to pull users’ details without so much as having to compromise their mobile devices.
An attacker would simply have to figure out the mathematical formula that the client employes to generate the unique code assigned to each account in order to keep track of customer data. After cracking the pattern, which apparently didn’t take the Avast researchers who discovered the exploit very long, a script can be written to cycle through every possible character combination and incorporate each outputted sequence into a query to the publicly-accessible programming interface of Target’s app.
The antivirus maker was able to exploit the fact that the company neglected to incorporate any sort of authentication mechanism into the service to vet such requests in order to collect a sample dataset of 5,000 accounts for research purposes. The subsequent analysis revealed that the exposed access point makes it possible to retrieve practically all of the information users have provided to Target’s app, including names, email and home addresses, phone numbers and of course, holiday wish lists. The only reason payment details are absent from the data trove is that the client doesn’t require any to be entered during account creation.
The discount retailer has blocked the vulnerable elements in the wake of Avast’s security alert, but that’s not much consolation to the upwards of tens of thousands of consumers who may have downloaded the app since the beginning of the holiday season. Hackers had nearly a month to find and exploit the flaw, which means that there’s a good chance users’ personally identifiable information could soon start surfacing on the black market.
Image via JavadR
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We are holding our third cloud startup showcase on Sept. 22. Click here to join the free and open Startup Showcase event.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.