Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Vulnerabilities in Alibaba Marketplace Exposed Buyer and Seller Accounts

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack merchant accounts. A different flaw could have been leveraged to gain access to buyers’ details.

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack merchant accounts. A different flaw could have been leveraged to gain access to buyers’ details.

Barak Tawily of the Israeli security firm AppSec Labs discovered a cross-site scripting (XSS) vulnerability in the AliExpress form that allows buyers to send messages to suppliers. According to the expert, an attacker could have injected malicious code into the body of the message and it would have been automatically executed in the supplier’s browser when he opened the message.

A malicious actor could have leveraged the method for phishing attacks, to steal a seller’s session ID, and to perform actions on the victim’s behalf. The researcher said a skilled attacker could have taken over a user’s AliExpress store.

A different vulnerability in AliExpress, which as of July 2013 had 7.7 million users in more than 200 countries and regions, was discovered by Amitay Dan of Israel-based security firm Cybermoon. The expert discovered that he could access the shipping details, including name, address and contact information, of any AliExpress buyer simply by changing the value of a parameter in the URL.

This easy-to-exploit flaw is known as insecure direct object reference and in this case it could have been leveraged to harvest the details of users who had placed an order on the website.

Both Dan and Tawily found the security holes while shopping on the website. Israel’s Channel 10 TV, which first reported the problems, noted that the researchers initially encountered some difficulties in notifying Alibaba.

Alibaba says it has addressed both issues, which it calls “potential vulnerabilities.”

“We are aware of the issue and took immediate steps to assess and remedy the situation. We have already closed the potential vulnerability and we will continue to closely monitor the situation. The security and privacy of our customers is our highest priority and we will do everything we can to continue to ensure a secure trading environment on our platforms,” Alibaba representatives told SecurityWeek in an emailed statement.

In August, Trend Micro researchers identified a security hole in the in-app payment SDK for Alibaba’s online payment platform Alipay. The bug could have been exploited to launch phishing attacks against users who made payments from their Android devices.

Dan and Tawily have published proof-of-concept videos to demonstrate their findings:

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.