Target Suffers New Security Headache With Flaws In Christmas App

target_416x416While it continues to settle with credit card providers and victims of its 2013 breach, Target has experienced a new data security headache courtesy of a mobile app.

According to research from Avast, the Wish List app’s Application Program Interface (API) is easily accessible over the internet, does not require any authentication and can serve data to an attacker in a JSON file. “The only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated,” Avast researcher Filip Chytry said.

The JSON file it requested from Target’s API contained data such as users’ names, email addresses, shipping addresses, phone numbers, the type of registries used and the items on the registries.

Target later said that it had suspended elements of the app while developers investigate the problem.

The Avast researchers also analyzed another Christmas app from Walgreens and found it required a large number of unnecessary permissions, including permission to change audio settings, pair with Bluetooth devices, control the flashlight and run at start-up.

 

SOURCE: Dan Raywood | Infosecurity Magazine

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s