Avast investigation into shopping apps reveals another Target security blunder

By Shawn Knight
Dec 16, 2015
Post New Reply
  1. Security researchers with Avast recently took a look at several shopping apps to see just how much retailers know about their shoppers. What the team found was a bit alarming, to say the least.

    Target's shopping app was among those randomly selected for a closer look. Avast discovered that data collected as part of the app's Christmas wish list feature was easily accessible via the Internet. The problem, it seems, is that Target's API didn't require any sort of authentication. Once they figured out how user IDs were generated, the team said the data was served up on a silver platter in a JSON file.

    The wish list feature collected data including names, addresses, e-mail addresses, phone numbers, types of gift registries they may have signed up for and items on said registries.

    Using a sampling of data, Avast was able to determine that the most popular brand on peoples' list was made by Gerber, that people using the app were most likely to live in California and Texas and that the most popular name among users was Jasmine.

    Target wasn't the only retailer taking part in questionable practices. Avast found that the Walgreens mobile app requested the most unnecessary permissions of any app it examined. The Home Depot app came in at a close second, we're told.

    Curiously enough, Avast didn't alert Target to the security issue before publishing its report. As CNET points out, Target shut down certain elements of its wish list feature after learning of the breach.

    Permalink to story.

  2. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 6,339   +1,938

    Target are just thick skinned and one dimensional, they don't care about anything but profit and it looks like they'll never learn until they start to go out of business, by then it'll be far too late.
    Maybe Walgreens sketchy app for Android looks like it could be a front for the NSA, hopefully all those unnecessary permissions can be revoked in Marshmallow, but that's of little benefit to those using an older OS which is probably 99.9% of all Android users.
  3. BooysenW

    BooysenW TS Rookie

    "Target shut down certain elements of its wish list feature after learning of the breach."

    Target calls this a 'breach' ? Surely one has to actually try and prevent unauthorized access to data in order for it to be classified as a 'breach'.
    Jeff Re and Reehahs like this.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...