Asda expose customers' details

ASDA-logo A load of personal details of customers have been exposed thanks to a flaw on Asda's website, thereby giving scam artists the chance to gather up that lovely data, such as payment details, and use it all for whatever nefarious purposes they have in mind.

This may well have put millions of transactions at risk, according to security dude Paul Moore. He first saw the flaw in March 2014, and got in touch with Asda to inform them about it.

Asda have now said that this has been patched up, telling the Beeb: "Asda and Walmart take the security of our websites very seriously. We are aware of the issue and have implemented changes to improve the security on our website."

If you're into security flaws and all the techie gubbins, then this revolved around two exploits, one being cross-site scripting (XSS) and cross-site request forgery (CSRF). If you don't know what they are, then rest assured, it is all incredibly exciting and like three Woodstock Festivals at the same time.

Or, if you prefer, it means that, should your device be infected with malware, and you had the Asda website open, you could be exposed to an attack.

A number of sites have this problem, but Asda seem to have reacted slowly to the whole thing. Moore says: "Back in March 2014, I contacted Asda to report several security vulnerabilities and despite a fix promised 'in the next few weeks', little appears to have changed. Asda also failed to issue adequate security headers which help mitigate the risk by instructing the browser to discard content which ASDA deem malicious or unnecessary."

"The majority of modern browsers support content security policy (CSP) which effectively blocks this type of attack, but very few sites adopt this technique."

"Asda/Walmart have had ample opportunity to fix these issues and have failed to do so. If you must continue shopping with Asda, open a private window and do not open any other tabs or windows until you've logged out."

What do you think?

Your comment