A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack merchant accounts. A different flaw could have been leveraged to gain access to buyers’ details.
Barak Tawily of the Israeli security firm AppSec Labs discovered a cross-site scripting (XSS) vulnerability in the AliExpress form that allows buyers to send messages to suppliers. According to the expert, an attacker could have injected malicious code into the body of the message and it would have been automatically executed in the supplier’s browser when he opened the message.
A malicious actor could have leveraged the method for phishing attacks, to steal a seller’s session ID, and to perform actions on the victim’s behalf. The researcher said a skilled attacker could have taken over a user’s AliExpress store.
A different vulnerability in AliExpress, which as of July 2013 had 7.7 million users in more than 200 countries and regions, was discovered by Amitay Dan of Israel-based security firm Cybermoon. The expert discovered that he could access the shipping details, including name, address and contact information, of any AliExpress buyer simply by changing the value of a parameter in the URL.
This easy-to-exploit flaw is known as insecure direct object reference and in this case it could have been leveraged to harvest the details of users who had placed an order on the website.
Both Dan and Tawily found the security holes while shopping on the website. Israel’s Channel 10 TV, which first reported the problems, noted that the researchers initially encountered some difficulties in notifying Alibaba.
Alibaba says it has addressed both issues, which it calls “potential vulnerabilities.”
“We are aware of the issue and took immediate steps to assess and remedy the situation. We have already closed the potential vulnerability and we will continue to closely monitor the situation. The security and privacy of our customers is our highest priority and we will do everything we can to continue to ensure a secure trading environment on our platforms,” Alibaba representatives told SecurityWeek in an emailed statement.
In August, Trend Micro researchers identified a security hole in the in-app payment SDK for Alibaba’s online payment platform Alipay. The bug could have been exploited to launch phishing attacks against users who made payments from their Android devices.
Dan and Tawily have published proof-of-concept videos to demonstrate their findings:
