January 19th, 2016, 20:38 PM
Asda bug exposed online shopping payment details
A flaw on supermarket Asda's website gave hackers the chance to collect customers' personal information and payment details, the BBC has learned.
The US-owned retail firm, which processes hundreds of thousands of online orders each week, could have put millions of transactions at risk, security expert Paul Moore estimates.
He first noticed the issue in March 2014 and contacted Asda to report it.
Asda said it had now fixed the problem and no customers had been affected.
The firm, whose website is run by US retail giant Walmart, told the BBC: "Asda and Walmart take the security of our websites very seriously. We are aware of the issue and have implemented changes to improve the security on our website."
"The points flagged pose a low risk to customers and our monitoring of these security issues indicate that no customer information has been compromised over that two-year period."
Since Mr Moore went public with the information it has acted to improve its security.
"The small risk to customer information has been removed and an update has been applied, we're now adding further enhancements which will be completed by this evening. In short, one of the two issues is fixed but nothing that remains poses any risk to any customer information or card details," it told the BBC.
The issue occurred because of two well-known exploits, cross-site scripting (XSS) and cross-site request forgery (CSRF), which combined, can offer hackers access to all the information users put on the site, said Mr Moore.
It means that - if someone had both the Asda website open and another site that is infected with malware - they could be vulnerable to attack.
"CSRF exploits the trust a site has in the user's browser, allowing an attacker to issue requests on your behalf and from your own PC. XSS allows an attacker to embed malicious content into the page to alter anything and everything the user can see," he explained.
Asda is by no means alone in having a website open to these security flaws but Mr Moore believes that it should have acted more quickly to rectify the problem.
"Back in March 2014, I contacted Asda to report several security vulnerabilities and despite a fix promised 'in the next few weeks', little appears to have changed," he said.
"Asda also failed to issue adequate security headers which help mitigate the risk by instructing the browser to discard content which ASDA deem malicious or unnecessary. The majority of modern browsers support content security policy (CSP) which effectively blocks this type of attack, but very few sites adopt this technique," he added.
When he published his blog, he advised users "to shop elsewhere".
"Asda/Walmart have had ample opportunity to fix these issues and have failed to do so. If you must continue shopping with Asda, open a private window and do not open any other tabs or windows until you've logged out," he added.