British shoppers might want to check out the following YouTube video by security consultant Paul Moore, especially if they buy their groceries online from ASDA.
Moore says that he notified ASDA of various serious security flaws on its website in March 2014, and was promised a fix “in the next few weeks”.
However, Moore says that after waiting 677 days he has run out of patience.
In the video above, Moore dramatically demonstrates just how XSS (cross-site scripting) and CSRF (Cross-Site Request Forgery) flaws on the ASDA website could be exploited to convincingly phish customers’ payment card details.
Paul Moore says that he has no evidence that malicious hackers have exploited the flaws which have been sitting on the ASDA website for almost two years at least, but then he has no way of telling that they haven’t either.
What is indisputable, though, is that at least a few ASDA customers have tweeted about their accounts being breached in the past.
@asda some one hacked my acc tomake fraud on line purchases the bank caught it tank god but warn ur customers and i need a number to ring
— cathy creighton (@Ruby6918) June 10, 2014
ASDA is owned by the US supermarket giant Walmart, and processes over 200,000 online orders each week. In short, any vulnerabilities which could be used to target ASDA’s online customers is a serious problem, and the company is not short of resources to deal with any problems discovered.
And yet, despite having ample opportunity to resolve the issues – ASDA has failed to do so.
It would be good to think that they responded appropriately to security researchers’ vulnerability reports in a timely fashion rather than leaving their customers in the lurch, wouldn’t it?
Read more on Paul Moore’s blog.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.