Asda Website Flaw Exposes Shoppers For Almost Two Years

A vulnerability in Asda’s website found by a security consultant in March 2014 was left unchecked, but Asda claims no shoppers were affected

A security flaw on the website of British supermarket chain Asda gave hackers to collect personal information and payment details from shoppers for almost two years.

The flaw was first spotted by security consultant Paul Moore back in March 2014, who immediately alerted Asda to the security vulnerability. However, Moore said Asda did not take action until just this week, when he made the flaw public.

Asda has said that the flaw is now fixed, and no customers were affected.

An Asda spokesperson said that “multiple layers of security [are] in place on our grocery website”, and that Asda had “implemented a number of changes to our website to improve customer security”.

Compromised

The spokesperson also said that there was no knowledge of any customer information having been compromised during the time period the flaw was open.

“We also believe that there is no prospect of a scale security breach,” the spokesperson said. “Asda and Walmart take the security of our websites very seriously.

Moore went public with information about the vulnerability on Monday 18th January, and said that after initially making Asda aware of the flaw “little appears to have changed”.

On his blog, he claimed that hackers could access customer details by using a combination of cross-site scripting (XSS) and cross-site request forgery (CSRF).

asdaRoss Brewer, managing director for international markets at security firm LogRhythm, commented on the flaw:

“We may have all hoped that 2016 would be the year that companies would finally learn the IT security lesson. Sadly, we are a just couple of weeks in and this already doesn’t seem to be the case.

“With no XSRF protection throughout the site, these vulnerabilities could have potential long-term consequences for both Asda and its customers. This flaw not only provides an opportunity for hackers to access payment data – albeit a slim one – but it enables them to activate customers’ accounts without knowing their username or password.

Moore pointed to data that showed Asda processed more than 200,000 online orders each week in the second quarter of 2014, meaning that for the length of time the website has been exploitable, more than 19 million transactions have occurred.

“I’m not aware of any evidence suggesting these exploits are being used in the wild,” wrote Moore. However, Moore did show tweets from Asda shoppers who claimed to have been hacked.

“Unfortunately, it’s difficult to know if your details have been stolen unless the attacker uses the information very shortly after the breach occurs, such that it’s reasonable to assume a link between the two,” wrote Moore.

“However, ASDA may be able to shed further light on anyone affected by this, or any other exploit.”

For now, Moore suggested that the best way to keep safe is “simply to shop elsewhere”.

“ASDA/Walmart have had ample opportunity to fix these issues and have failed to do so. If you must continue shopping with ASDA, open a “private” / “incognito” window and do not open any other tabs/windows until you’ve logged out,” he wrote.

TechWeekEurope has contacted Asda for further information.

Take our data breaches of 2015 quiz here!