Shop online at Asda? Website vuln created account hijack risk

John Leyden reports:

Retailer Asda dragged its heels for nearly two years before finally this week tackling a set of security vulnerabilities reported to it by a UK consultant. Asda has acknowledged the flaws – which Paul Moore, who discovered them, argues offer up an account hijack risk – but played down their significance.

Moore told El Reg potentially interlinked cross-site request forgery (CSRF/XSRF) and cross-site scripting (XSS) vulnerabilities have been present on the Asda Groceries site since at least March 2014, when he first reported it, if not before.

Moore provided a proof of concept in November 2015. The potential impact of the flaws is severe, according to Moore.

Read more on The Register.

About the author: Dissent

Comments are closed.