It Asda be a critical security flaw - ignored by supermarket chain for two years

Asda ignored critical account-hijacking security flaw for two years

Supermarket chain Asda ignored a critical security flaw for almost two years after it had been notified by a sharp-eyed user - and the company has only promised to fix it after the information security consultant who uncovered it went public.

Furthermore, users have complained that the company, owned by the American retail giant WalMart, has also ignored complaints over a number of other minor security flaws and sloppy website security practices.

Paul Moore claims that he informed the company in March 2014 of a security flaw that would enable an attacker to hijack sessions and steal credit and debit card data. He was promised a rapid fix, but the supermarket chain subsequently ignored it.

"Back in March 2014, I contacted Asda to report several security vulnerabilities and despite a fix promised 'in the next few weeks', little appears to have changed," he wrote in a blog on Tuesday, finally making the security flaw public.

"After 677 days and several tweets along a similar vein, my patience has finally run out."

The website, he claims, carries cross-site request forgery and cross-site scripting flaws that would enable an attacker to hijack accounts, a process he demonstrates in a YouTube video. The hijack can be executed without the users even knowing anything is wrong - just by having a website open with the malware payload in the same browser. The exploit would also enable an attacker to gain payment card and other details as the user enters them into the Asda website.

Moore notes that in the time since he notified Asda of the flaw, some 19 million transactions will have taken place. Moore claims that while he is unaware of any exploits targeting Asda taking place, he has been contacted by people who suspect that it may have been used to steal credit and debit card details to make fraudulent purchases.

Furthermore, while Asda asserts that it is secure and that it very quickly fixed the security flaws shortly after he went public, Moore notes that it was not the only sloppy and insecure practice that the company was running.

"They don't enforce SSL/TLS during login and the entire session is maintained over an insecure protocol," he says, while others have noted the use of unencrypted HTTP to file forms, such as job applications bearing personal information.

"Despite a speedy response to my first email and a privacy policy which suggests otherwise, Asda do not appear to be overly concerned about the security of their customers," he concluded.