Security researchers with Avast recently took a look at several shopping apps to see just how much retailers know about their shoppers. What the team found was a bit alarming, to say the least.
Target's shopping app was among those randomly selected for a closer look. Avast discovered that data collected as part of the app's Christmas wish list feature was easily accessible via the Internet. The problem, it seems, is that Target's API didn't require any sort of authentication. Once they figured out how user IDs were generated, the team said the data was served up on a silver platter in a JSON file.
The wish list feature collected data including names, addresses, e-mail addresses, phone numbers, types of gift registries they may have signed up for and items on said registries.
Using a sampling of data, Avast was able to determine that the most popular brand on peoples' list was made by Gerber, that people using the app were most likely to live in California and Texas and that the most popular name among users was Jasmine.
Target wasn't the only retailer taking part in questionable practices. Avast found that the Walgreens mobile app requested the most unnecessary permissions of any app it examined. The Home Depot app came in at a close second, we're told.
Curiously enough, Avast didn't alert Target to the security issue before publishing its report. As CNET points out, Target shut down certain elements of its wish list feature after learning of the breach.
