Dive Brief:
-
Target shut down elements of its wish-list app Tuesday night in order to fix a vulnerability that left shoppers’ personal information including names, addresses, phone numbers, and email addresses available for anyone to see because its API is easily accessible via the web.
-
Cybersecurity and antivirus software company Avast took it upon itself to scrutinize a number of retail wish list apps this holiday season and found the flaw.
-
Other retailers, notably Walgreens and Home Depot, collect an unnecessary amount of permissions and personal information from shoppers using their holiday list apps, Avast says.
Dive Insight:
Mobile commerce in many ways is the retail story of the holiday shopping season this year, and Avast’s detective work has unearthed a couple of serious flaws that could ultimately discourage consumers from using their phones.
The cybersecurity software company said it was surprised to find that Target’s app was so easily accessed.
“To our surprise, we discovered that the Target app’s Application Program Interface (API) is easily accessible over the Internet. An API is a set of conditions where if you ask a question it sends the answer,” Avast president of mobile and cybersecurity expert Flip Chytry wrote on the Avast blog Tuesday. “Also, the Target API does not require any authentication. The only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON file.”
“We apologize for any challenges guests may be facing while trying to access their registry,” Target said in a statement. “Our teams are working diligently overnight to resume full functionality.”
But Chytry also slammed retailers for that obtain permissions from consumers that have nothing to do with the functionality of their apps.
“The Walgreens app has permission to change your audio settings, pair with blue tooth devices, control your flashlight, and run at startup – completely unnecessary for the app to function properly,” he writes. “On the bright side, these retail apps aren’t the most permission-hungry apps we have ever seen, in fact compared to other apps out there they are decent."
“But, now imagine what could happen if this valuable customer data landed in the wrong hands,” he warns. “The ways this data could be misused are far and wide. It is, therefore, important that people are aware of how many permissions they grant the apps they use and understand what data the apps collect.”