Meanwhile, Target disabled portions of its wish list app on Tuesday until the problem could be resolved.
Advertisement
Chytry said the information exposed was logged into Target’s app database, which includes wish lists, names, phone numbers, home addresses and emails.
Target’s app for making holiday wish lists actually keeps a database of its users. Hackers had almost a month to find and exploit the flaw, which means that there’s a good chance users’ personally identifiable information could soon start surfacing on the black market. They determined that the mobile app’s Application Program Interface (API) was very easy to access over the Internet.
After the company’s huge data breach at the end of 2013, which compromised the personal information of over 100 million consumers, another security flaw has been found this year. “But all your personal information shouldn’t be accessible to anyone who wants to go in and hack in there”. The only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated.
The Target API spews information about users such as their real names, email addresses, shipping addresses, phone numbers, and their wishlists. The company said it “did not store any personal information, but we did aggregate data from 5,000 inputs, enough for statistical analysis”. But if you really want to use an app to do so, please make sure you’re not agreeing to sharing too much information, or handing over too much power to an app.
Security researchers from Avira made a decision to take a closer look at the Android apps of several online retailers, and to nobody’s surprise, managed to discover a few vulnerabilities.
Advertisement
“On the bright side, these retail apps aren’t the most permission-hungry apps we have ever seen, in fact compared to other apps out there they are decent”, reads Avast’s blog post. It does single out Walgreens’ app, however, for requesting a ridiculous amount of permissions, including the ability to change your audio settings, pair with blue tooth devices, control your flashlight, and run at startup. They didn’t identify any additional issues in the other apps, although they did note the Home Depot app also sought lots of permissions.
