Connect with us

Hi, what are you looking for?


Mobile & Wireless

Target Mobile App Exposed User Data to Public

With Christmas fast approaching, many people are using retailers’ mobile applications to create wish lists for their friends to access, yet those who used Target’s app this holiday season might have shared their personal information beyond those intended.  

With Christmas fast approaching, many people are using retailers’ mobile applications to create wish lists for their friends to access, yet those who used Target’s app this holiday season might have shared their personal information beyond those intended.  

According to a recent blog post from Avast, vulnerabilities found in the Target Android application exposed user information to anyone who could figure out how the user ID is generated. Thus, while users creating wish lists wanted them to be accessible to their family and friends, their personal information was put at risk.

Vulnerabilities In Target's Mobile AppThe security firm explains that the application creates a database that includes not only the wish lists, but also users’ names, addresses, and email addresses. The team of researchers involved in the analysis of the application managed to aggregate data from 5,000 inputs, although they say they did not store any personal information.

According to the researchers, the application’s Application Program Interface (API) is easily accessible from the Internet and represents a set of conditions where if you ask a question it sends the answer without requiring authentication, meaning that an attacker could access a user’s personal information through discovering how user ID is generated.

With all these conditions met, the application immediately delivers all of the user data in the form of a JSON file. Avast reports that the JSON file received from Target’s API contained a large amount of data, including users’ names, email addresses, shipping addresses, phone numbers, the type of registries, and the items on the registries.

The researchers analyzed the brands that appeared the most on the registry of the 5,000 random inputs, along with the states the users of the Target application are from, and the most common names of these people. The Avast team found more than 1,700 unique names in their sample and shared a list of the top 20 names.

Target has already acknowledged that there were a series of issues with its mobile application, and disabled it to ensure user protection. In an email to SecurityWeek, Target spokesperson Molly Snyder explained that the retailer has already taken the necessary steps to patch the issue.

“Last night it was brought to our attention that there may have been a potential issue with the mobile functionality on our gift registry platform. Out of an abundance of caution, we temporarily disabled elements of our wish list and gift registry apps while we assessed the platform.

“The interruption in service was brief and we apologize to any guests who may have faced challenges trying to access their registry last night. We have addressed any potential issues and have restored our registry capabilities to full functionality,” Snyder said.

Advertisement. Scroll to continue reading.

While analyzing other similar applications from retailers, the Avast researchers discovered that the Walgreens app requests more permissions than any other retailer application, while also requesting a wide range of permissions that are not required for it to function. The Home Depot came in second in terms of unnecessary permissions requested.

The Walgreens application asks for permissions to change audio settings, pair with bluetooth devices, control flashlight, and run at startup, all of which are completely unnecessary for the app to function properly. Since these applications could leak sensitive user data, people should take caution when granting extra permissions to them and should also be aware of the data that these pieces of software can collect.

Last month, a SEWORKS report revealed that even the most popular Android applications put user’s security at risk. The report revealed that 85 percent of the top 200 most popular free applications in Google Play can be decompiled, which exposes their code to cybercriminals seeking exploits or looking to inject malware into them and repackage them as malicious apps.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.