Target app shares holiday wishlists, personal info with friends, family… and rest of the internet?

David bisson
David Bisson

Target android appResearchers have found that the entire web could potentially view the holiday wishlists and personal information of Target app users.

Avast security researcher Flip Chytry explains in a blog post how Avast randomly chose Home Depot, J.C. Penney, Target, Macy’s, Safeway, Walgreens, and Walmart as part of a study in order to determine what kinds of information major retailers’ apps collect about their users and the types of permissions they commonly request.

Much of the post is dedicated to the Target app, which according to Avast’s review maintains a database of users’ wishlists and personal information. This database, Chytry explains, is potentially viewable beyond friends, family, and Santa Claus, however.

“To our surprise, we discovered that the Target app’s Application Program Interface (API) is easily accessible over the Internet. An API is a set of conditions where if you ask a question it sends the answer. Also, the Target API does not require any authentication. The only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON file.”

Sign up to our free newsletter.
Security news, advice, and tips.

Target json file

The file contained customers’ names, email addresses, shipping addresses, phone numbers, registry types, and items on the registries.

Using this information, Avast was able to determine that Gerber and Munchkin were the two top brands on Target app users’ registries; most of the app users lived in Florida, Texas, and California; and (for some reason) the top 8 names mainly began with the letter “J”, with Jasmine in first place at 162 users, followed by Jamie (132), Jessica (79), Ashley (67), Jackie (67), Jordan (64), Amanda (58), and Jennifer (55).

Target map

Patrick Dorn, a spokesman for Avast, expressed to the Star Tribune what are likely to be common concerns about the Target app’s lax attitude to privacy:

“You should be able to get your list of gifts out to a specific group of people who you want to see it. But all your personal information shouldn’t be accessible to anyone who wants to go in and hack in there… I do feel uncomfortable when I find that my information can be easily accessible to somebody… It’s kind of building a profile on you.”

Target logoAvast’s discovery, which came out around the two-year anniversary of the Target breach that compromised 40 million customers’ credit card details, has since prompted the retailer to suspend elements of the app while developers investigate, reports Ars Technica.

“We apologize for any challenges guests may be facing while trying to access their registry,” Molly Snyder, a communications manager at Target, said in a statement. “Our teams are working diligently overnight to resume full functionality.”

Avast’s post does not explain its findings regarding all of the apps it examined. It does single out Walgreens’ app, however, for requesting a ridiculous amount of permissions, including the ability to change your audio settings, pair with blue tooth devices, control your flashlight, and run at startup.

Walgreens app

This holiday season, it might be a good idea to just call up your friends and family and tell them what you want for a gift. But if you really want to use an app to do so, please make sure you’re not agreeing to sharing too much information, or handing over too much power to an app.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

2 comments on “Target app shares holiday wishlists, personal info with friends, family… and rest of the internet?”

  1. David L

    I'm shocked ! Really shocked I tell you! That a stroller on sale would be almost 4 hundred dollars is truly shocking! (-:

    Must have hit my funny bone this morning. But app developers are so lazy these days, it's amazing more people aren't pwnd. And where the heck is Google? They are supposed to be doing manual reviews of new apps and updates these days before these apps get published. I wrote awhile back about 30,000 plus apps in Google playstore that had some kind of malware. And if you add in all the poorly coded apps, that number skyrockets. Playstore is not as safe as most people believe,and at least with Android OS 6.0 marshmallow,we will have better control over permissions.



What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.