Shopping online at ASDA could put your credit card details at risk

Graham Cluley
Graham Cluley
@[email protected]

British shoppers might want to check out the following YouTube video by security consultant Paul Moore, especially if they buy their groceries online from ASDA.

Identity theft & payment fraud? That's ASDA price.

Moore says that he notified ASDA of various serious security flaws on its website in March 2014, and was promised a fix “in the next few weeks”.

However, Moore says that after waiting 677 days he has run out of patience.

Sign up to our free newsletter.
Security news, advice, and tips.

In the video above, Moore dramatically demonstrates just how XSS (cross-site scripting) and CSRF (Cross-Site Request Forgery) flaws on the ASDA website could be exploited to convincingly phish customers’ payment card details.

Asda website flaw exploited

Paul Moore says that he has no evidence that malicious hackers have exploited the flaws which have been sitting on the ASDA website for almost two years at least, but then he has no way of telling that they haven’t either.

What is indisputable, though, is that at least a few ASDA customers have tweeted about their accounts being breached in the past.

ASDA is owned by the US supermarket giant Walmart, and processes over 200,000 online orders each week. In short, any vulnerabilities which could be used to target ASDA’s online customers is a serious problem, and the company is not short of resources to deal with any problems discovered.

And yet, despite having ample opportunity to resolve the issues – ASDA has failed to do so.

It would be good to think that they responded appropriately to security researchers’ vulnerability reports in a timely fashion rather than leaving their customers in the lurch, wouldn’t it?

Read more on Paul Moore’s blog.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.