Shopping online at ASDA could put your credit card details at risk

Graham Cluley
@gcluley

British shoppers might want to check out the following YouTube video by security consultant Paul Moore, especially if they buy their groceries online from ASDA.

Moore says that he notified ASDA of various serious security flaws on its website in March 2014, and was promised a fix “in the next few weeks”.

However, Moore says that after waiting 677 days he has run out of patience.

Sign up to our newsletter
Security news, advice, and tips.

In the video above, Moore dramatically demonstrates just how XSS (cross-site scripting) and CSRF (Cross-Site Request Forgery) flaws on the ASDA website could be exploited to convincingly phish customers’ payment card details.

Paul Moore says that he has no evidence that malicious hackers have exploited the flaws which have been sitting on the ASDA website for almost two years at least, but then he has no way of telling that they haven’t either.

What is indisputable, though, is that at least a few ASDA customers have tweeted about their accounts being breached in the past.

ASDA is owned by the US supermarket giant Walmart, and processes over 200,000 online orders each week. In short, any vulnerabilities which could be used to target ASDA’s online customers is a serious problem, and the company is not short of resources to deal with any problems discovered.

And yet, despite having ample opportunity to resolve the issues – ASDA has failed to do so.

It would be good to think that they responded appropriately to security researchers’ vulnerability reports in a timely fashion rather than leaving their customers in the lurch, wouldn’t it?

Read more on Paul Moore’s blog.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.