Asda website bug could have exposed millions of customers’ payment details
20 January 2016 |
Supermarket Asda's website had a security vulnerability that could have left millions of customers' details open to hackers, according to a researcher.
The now-fixed flaw, which could have exposed personal information and payment details, was first disclosed to the firm by Paul Moore in March 2014.
Moore went public with the flaw because “little appears to have changed” after the supermarket promised a fix “in the next few weeks” back in 2014.
In a blog post on the issue, he detailed a string of tweets from concerned users that were dismissed by Asda’s social media team, which said its site was “fully secure”.
Asda said it has now fixed the issue and that no customers were affected.
“Asda and Walmart take the security of our websites very seriously,” it told the BBC. “We are aware of the issue and have implemented changes to improve the security on our website.”
The vulnerability exploited cross-site scripting (XSS) and cross-site request forgery (CSRF) to access information users submitted to the website.
Following the post, Asda said its changes had removed any risk to customer information or card details and it was adding “further enhancements” expected to be in place by yesterday evening.
Asda is far from the only website to have been affected by XSS vulnerabilities.
Earlier this month, a research claimed that a similar flaw could give hackers access to eBay users’ credentials. This issue was later fixed.
In addition, researchers have found that millions of Internet of Things-connected devices’ embedded web interfaces could be vulnerable to exploits including XSS.