Shopping online at ASDA could put your credit card details at risk


British shoppers might want to check out the following YouTube video by security consultant Paul Moore, especially if they buy their groceries online from ASDA.

Moore says that he notified ASDA of various serious security flaws on its website in March 2014, and was promised a fix “in the next few weeks”.

However, Moore says that after waiting 677 days he has run out of patience.

In the video above, Moore dramatically demonstrates just how XSS (cross-site scripting) and CSRF (Cross-Site Request Forgery) flaws on the ASDA website could be exploited to convincingly phish customers’ payment card details.

Asda website flaw exploited

Paul Moore says that he has no evidence that malicious hackers have exploited the flaws which have been sitting on the ASDA website for almost two years at least, but then he has no way of telling that they haven’t either.

What is indisputable, though, is that at least a few ASDA customers have tweeted about their accounts being breached in the past.

ASDA is owned by the US supermarket giant Walmart, and processes over 200,000 online orders each week. In short, any vulnerabilities which could be used to target ASDA’s online customers is a serious problem, and the company is not short of resources to deal with any problems discovered.

And yet, despite having ample opportunity to resolve the issues - ASDA has failed to do so.

It would be good to think that they responded appropriately to security researchers’ vulnerability reports in a timely fashion rather than leaving their customers in the lurch, wouldn’t it?

Read more on Paul Moore’s blog.

Tags: , , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , , ,

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.