Shopping online at ASDA could put your credit card details at risk

Graham Cluley

Shopping online at ASDA could put your credit card details at risk

British shoppers might want to check out the following YouTube video by security consultant Paul Moore, especially if they buy their groceries online from ASDA.

Moore says that he notified ASDA of various serious security flaws on its website in March 2014, and was promised a fix “in the next few weeks”.

However, Moore says that after waiting 677 days he has run out of patience.

In the video above, Moore dramatically demonstrates just how XSS (cross-site scripting) and CSRF (Cross-Site Request Forgery) flaws on the ASDA website could be exploited to convincingly phish customers’ payment card details.

Asda website flaw exploited

Paul Moore says that he has no evidence that malicious hackers have exploited the flaws which have been sitting on the ASDA website for almost two years at least, but then he has no way of telling that they haven’t either.

What is indisputable, though, is that at least a few ASDA customers have tweeted about their accounts being breached in the past.

ASDA is owned by the US supermarket giant Walmart, and processes over 200,000 online orders each week. In short, any vulnerabilities which could be used to target ASDA’s online customers is a serious problem, and the company is not short of resources to deal with any problems discovered.

And yet, despite having ample opportunity to resolve the issues – ASDA has failed to do so.

It would be good to think that they responded appropriately to security researchers’ vulnerability reports in a timely fashion rather than leaving their customers in the lurch, wouldn’t it?

Read more on Paul Moore’s blog.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.
Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES