Asda supermarket's website had a bug that exposed personal information and payment details of millions of its online shopping customers. The bug could have potentially provided hackers access to sensitive information from the company's internal servers, say experts.
The Walmart-owned supermarket was first contacted by security expert Paul Moore in March 2014, when he first observed the security issue. Moore opined that the security flaw could have potentially jeopardised millions of transactions, especially given that the supermarket processes a multitude of online orders every week.
Asda said that it has now fixed the bug. According to a report by BBC, the company said: "Asda and Walmart take the security of our websites very seriously. We are aware of the issue and have implemented changes to improve the security on our website." The US-run retail chain also said that it has updated its online security system and is currently working on implementing additional enhancements to bolster its online security.
Although Asda has said that it has now fixed the issue, with the reassurance that no customers' sensitive data was affected, Moore contended that the firm should have acted more quickly to correct the problem. He said, "Back in March 2014, I contacted Asda to report several security vulnerabilities and despite a fix promised 'in the next few weeks', little appears to have changed."
The flaw is believed to have occurred due to two common issues that involve cross-site scripting (XSS) and cross-site request forgery (CSRF). According to Moore, when combined, the two issues can offer malicious hackers unchecked access to user data that has been uploaded onto the website. In other words, if a customer was on Asda's website while simultaneously also having another website, which is infected with malware, open they could be left vulnerable to attack by hackers.
Apart from the XSS and CSRF bugs, Moore also discovered that Asda was not using HTTPS for its login page and that the firm kept a record of expired certificates on its job board, exposing sensitive information of current and prospective employees, Softpedia News reported.
Although Asda is not alone in failing to incorporate more rigorous security measures for its website, Moore believes that the supermarket chain failed to correct the issue properly, despite knowing about it beforehand. Moore also suggested that people who choose to shop online from Asda's website take extra precautions. "Open a private window and do not open any other tabs or windows until you've logged out", he advised customers.