With Christmas fast approaching, many people are using retailers’ mobile applications to create wish lists for their friends to access, yet those who used Target’s app this holiday season might have shared their personal information beyond those intended.
According to a recent blog post from Avast, vulnerabilities found in the Target Android application exposed user information to anyone who could figure out how the user ID is generated. Thus, while users creating wish lists wanted them to be accessible to their family and friends, their personal information was put at risk.
The security firm explains that the application creates a database that includes not only the wish lists, but also users’ names, addresses, and email addresses. The team of researchers involved in the analysis of the application managed to aggregate data from 5,000 inputs, although they say they did not store any personal information.
According to the researchers, the application’s Application Program Interface (API) is easily accessible from the Internet and represents a set of conditions where if you ask a question it sends the answer without requiring authentication, meaning that an attacker could access a user’s personal information through discovering how user ID is generated.
With all these conditions met, the application immediately delivers all of the user data in the form of a JSON file. Avast reports that the JSON file received from Target’s API contained a large amount of data, including users’ names, email addresses, shipping addresses, phone numbers, the type of registries, and the items on the registries.
The researchers analyzed the brands that appeared the most on the registry of the 5,000 random inputs, along with the states the users of the Target application are from, and the most common names of these people. The Avast team found more than 1,700 unique names in their sample and shared a list of the top 20 names.
Target has already acknowledged that there were a series of issues with its mobile application, and disabled it to ensure user protection. In an email to SecurityWeek, Target spokesperson Molly Snyder explained that the retailer has already taken the necessary steps to patch the issue.
“Last night it was brought to our attention that there may have been a potential issue with the mobile functionality on our gift registry platform. Out of an abundance of caution, we temporarily disabled elements of our wish list and gift registry apps while we assessed the platform.
“The interruption in service was brief and we apologize to any guests who may have faced challenges trying to access their registry last night. We have addressed any potential issues and have restored our registry capabilities to full functionality,” Snyder said.
While analyzing other similar applications from retailers, the Avast researchers discovered that the Walgreens app requests more permissions than any other retailer application, while also requesting a wide range of permissions that are not required for it to function. The Home Depot came in second in terms of unnecessary permissions requested.
The Walgreens application asks for permissions to change audio settings, pair with bluetooth devices, control flashlight, and run at startup, all of which are completely unnecessary for the app to function properly. Since these applications could leak sensitive user data, people should take caution when granting extra permissions to them and should also be aware of the data that these pieces of software can collect.
Last month, a SEWORKS report revealed that even the most popular Android applications put user’s security at risk. The report revealed that 85 percent of the top 200 most popular free applications in Google Play can be decompiled, which exposes their code to cybercriminals seeking exploits or looking to inject malware into them and repackage them as malicious apps.