Asda website leaves customer details vulnerable for 677 days

Asda, the second largest supermarket in the UK by market share, reportedly failed to patch a vulnerability in its online grocery store that exposed customers’ personal information and payment details for nearly two years. Information security consultant Paul Moore estimates that over 19 million transactions were potentially at risk in that period.

ASDA_logo.svgIn March 2014, Mr Moore contacted Asda “to report several security vulnerabilities” that he’d discovered in its website, but nothing was done to fix them. After 677 days, he says, his patience ran out, so he blogged about it, explaining his proof of concept in a handy video: “all that’s required for this exploit to be successful is for you to be signed in and browsing the web. If, at the end of your shop, you search for a voucher or discount code and that website contains the same malicious payload, you could potentially lose your card details.”

 

Walmart subsidiary Asda fixed the vulnerability shortly after Mr Moore published his blog on Monday, telling the BBC: “Asda and Walmart take the security of our websites very seriously. We are aware of the issue and have implemented changes to improve the security on our website.”

Patch management

The exploitation of known vulnerabilities is one of the easiest methods by which cyber criminals can hack websites, so the importance of maintaining up-to-date software is paramount for all organisations that value their information security. If you continue to use unsupported or vulnerable versions, then your website runs a significantly higher risk of compromise.