Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Target Mobile App Exposed User Data to Public

With Christmas fast approaching, many people are using retailers’ mobile applications to create wish lists for their friends to access, yet those who used Target’s app this holiday season might have shared their personal information beyond those intended.  

With Christmas fast approaching, many people are using retailers’ mobile applications to create wish lists for their friends to access, yet those who used Target’s app this holiday season might have shared their personal information beyond those intended.  

According to a recent blog post from Avast, vulnerabilities found in the Target Android application exposed user information to anyone who could figure out how the user ID is generated. Thus, while users creating wish lists wanted them to be accessible to their family and friends, their personal information was put at risk.

Vulnerabilities In Target's Mobile AppThe security firm explains that the application creates a database that includes not only the wish lists, but also users’ names, addresses, and email addresses. The team of researchers involved in the analysis of the application managed to aggregate data from 5,000 inputs, although they say they did not store any personal information.

According to the researchers, the application’s Application Program Interface (API) is easily accessible from the Internet and represents a set of conditions where if you ask a question it sends the answer without requiring authentication, meaning that an attacker could access a user’s personal information through discovering how user ID is generated.

With all these conditions met, the application immediately delivers all of the user data in the form of a JSON file. Avast reports that the JSON file received from Target’s API contained a large amount of data, including users’ names, email addresses, shipping addresses, phone numbers, the type of registries, and the items on the registries.

The researchers analyzed the brands that appeared the most on the registry of the 5,000 random inputs, along with the states the users of the Target application are from, and the most common names of these people. The Avast team found more than 1,700 unique names in their sample and shared a list of the top 20 names.

Target has already acknowledged that there were a series of issues with its mobile application, and disabled it to ensure user protection. In an email to SecurityWeek, Target spokesperson Molly Snyder explained that the retailer has already taken the necessary steps to patch the issue.

“Last night it was brought to our attention that there may have been a potential issue with the mobile functionality on our gift registry platform. Out of an abundance of caution, we temporarily disabled elements of our wish list and gift registry apps while we assessed the platform.

“The interruption in service was brief and we apologize to any guests who may have faced challenges trying to access their registry last night. We have addressed any potential issues and have restored our registry capabilities to full functionality,” Snyder said.

While analyzing other similar applications from retailers, the Avast researchers discovered that the Walgreens app requests more permissions than any other retailer application, while also requesting a wide range of permissions that are not required for it to function. The Home Depot came in second in terms of unnecessary permissions requested.

The Walgreens application asks for permissions to change audio settings, pair with bluetooth devices, control flashlight, and run at startup, all of which are completely unnecessary for the app to function properly. Since these applications could leak sensitive user data, people should take caution when granting extra permissions to them and should also be aware of the data that these pieces of software can collect.

Last month, a SEWORKS report revealed that even the most popular Android applications put user’s security at risk. The report revealed that 85 percent of the top 200 most popular free applications in Google Play can be decompiled, which exposes their code to cybercriminals seeking exploits or looking to inject malware into them and repackage them as malicious apps.

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.