NEWS
NEWS
NEWS
Target botches holiday season cybersecurity, again
Two years and about $300 million in legal costs later, it seems that Target Corp. still hasn’t fully internalized the lessons from the 2013 holiday season breach that saw hackers steal the personal information of more than 40 million of its customers. Avast Software s.r.o. issued a security alert this week warning of a vulnerability in the discount retailer’s wish list app that can be exploited to pull users’ details without so much as having to compromise their mobile devices.
An attacker would simply have to figure out the mathematical formula that the client employes to generate the unique code assigned to each account in order to keep track of customer data. After cracking the pattern, which apparently didn’t take the Avast researchers who discovered the exploit very long, a script can be written to cycle through every possible character combination and incorporate each outputted sequence into a query to the publicly-accessible programming interface of Target’s app.
The antivirus maker was able to exploit the fact that the company neglected to incorporate any sort of authentication mechanism into the service to vet such requests in order to collect a sample dataset of 5,000 accounts for research purposes. The subsequent analysis revealed that the exposed access point makes it possible to retrieve practically all of the information users have provided to Target’s app, including names, email and home addresses, phone numbers and of course, holiday wish lists. The only reason payment details are absent from the data trove is that the client doesn’t require any to be entered during account creation.
The discount retailer has blocked the vulnerable elements in the wake of Avast’s security alert, but that’s not much consolation to the upwards of tens of thousands of consumers who may have downloaded the app since the beginning of the holiday season. Hackers had nearly a month to find and exploit the flaw, which means that there’s a good chance users’ personally identifiable information could soon start surfacing on the black market.
Image via JavadR
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
