Vulnerabilities Discovered in Alibaba Marketplace Risks Millions of Merchant and Buyer Accounts
A critical security vulnerability has been discovered on AliExpress, owned by China‘s largest e-commerce giant Alibaba. The vulnerability, if exploited by criminal hackers, could have exposed account details of tens of millions of merchants and shoppers, reported security firm AppSec Labs.
Alibaba security vulnerability:
Discovered by Barak Tawily of the AppSec Labs, this cross-site scripting (XSS) vulnerability in the AliExpress was found in a form that allows buyers to send messages to suppliers. By adding malicious code to the body of that message form, hacker could get seller’s session ID enabling him to perform actions on victim’s behalf hijacking over merchant’s store. Alibaba Group has patched this major security vulnerability after the security firm reported it to the group.
Alibaba is considered as one of the top e-commerce giants based out of China and serving international markets. Serving more than 300 million active users from around 200 countries, any security vulnerability in the platform has the capability of exposing details of millions of sellers and buyers.
Tawily reporting that by exploiting this vulnerability, he was able to change product prices, delete goods, and even close the merchant’s shop on the e-commerce site. Last year in July, another security loophole was discovered in AliExpress by another Israel-based security firm potentially enabling hackers to access shipping details and contact information of any AliExpress buyer simply by playing a little with the URL.
Alibaba responded to the discovery:
We are aware of the issue and took immediate steps to assess and remedy the situation. We have already closed the potential vulnerability and we will continue to closely monitor the situation. The security and privacy of our customers is our highest priority and we will do everything we can to continue to ensure a secure trading environment on our platforms. – Candice Huang, manager of International Corporate Affairs for Alibaba Group.
– Source: Multichannel Merchant