Target Hit With Another Security Vulnerability Exposing Consumers’ Personal Data
Last year Target's security systems were breached by hackers which led to the leak of credit card information of over 70 million consumers. Earlier this year, personal data of over 15 million of Target consumers was exposed in a security breach of Experian, a vendor that processes T-Mobile’s credit applications. Minnesota-based retailer is back in the news again for leaking private information of its consumers thanks to a flaw in the retailer's mobile app.
Target mobile app vulnerable to hackers:
Did you choose to share your Christmas wishlist with Target mobile app? While Santa Claus may not be able to get you those gifts, Target is certainly making sure that it is known by others, more unwanted people. In a blog post, security researchers from Avast have revealed a flaw in the company's mobile app that allows unauthorized access to customer's private information, including email addresses, shipping addresses and phone numbers extracted from wish lists created with the app. This time it doesn't reveal the credit card information though keeping your finances more secure.
According to the blog post, the app's API is easily accessible over the Internet and doesn't require any authentication:
To our surprise, we discovered that the Target app’s Application Program Interface (API) is easily accessible over the Internet. An API is a set of conditions where if you ask a question it sends the answer. Also, the Target API does not require any authentication. The only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON file.
The JSON file we requested from Target’s API contained interesting data, like users’ names, email addresses, shipping addresses, phone numbers, the type of registries, and the items on the registries. We did not store any personal information, but we did aggregate data from 5,000 inputs, enough for statistical analysis.
After the report went live, Target disabled the wish list feature from the app after being informed of the vulnerability. "We apologize for any challenges guests may be facing while trying to access their registry. Our teams are working diligently overnight to resume full functionality," Molly Snyder, communications manager at Target commented. While there's no information if this flaw in the mobile app has been exploited by the hackers, it is unknown as to why Avast didn't notify Target before making the details public.