14 DAY TRIAL // ASDA, a British-based supermarket chain owned by Walmart, has taken its sweet time fixing two security vulnerabilities on its online shop.
If exploited, these security flaws would have allowed an attacker to collect payment details from anyone using the ASDA website to buy groceries or other products.
ASDA only fixed these flaws after independent security consultant Paul Moore published a blog post detailing his findings.
Security bugs were initially discovered in March 2014
Mr. Moore says that he found the flaws in March 2014 and that, after acknowledging his initial email, ASDA's security team did not do anything to address the reported issues.
According to Mr. Moore, the asda.com website was vulnerable to XSS (cross-site scripting) and CSRF (cross-site request forgery) issues.
A typical attack would require a hacker to trick ASDA shoppers into accessing a malicious link (CSRF to asda.com) before going to the asda.com website. When on the ASDA site, the XSS attack would be launched, allowing the hacker to intercept payment form details and send them to a server under their control. Mr. Moore also provided a proof-of-concept video below.
According to statistics offered by ASDA, the company was boasting that shoppers generally make 200,000 online orders each week. This means that, between the time when the vulnerabilities were discovered and up to when ASDA fixed the issues, an attacker would have been able to intercept roughly 19 million transactions.
ASDA also suffers from other poor security practices
Besides the XSS and CSRF bugs, Mr. Moore also discovered that ASDA wasn't using HTTPS for the login page and that the company employed expired certificates for its job board, potentially exposing the details of people applying for jobs.
Additionally, the site's Data Protection email address seems to be running an out-of-office message for the holidays even now, in the middle of January.
While ASDA has kept mum on the incident, Mr. Moore has stumbled upon a tweet from June 2014, when a customer reported a fraudulent transaction and wanted to get in contact with ASDA about the incident.
