Updated Retailer Asda dragged its heels for nearly two years before finally this week tackling a set of security vulnerabilities reported to it by a UK consultant. Asda has acknowledged the flaws - which Paul Moore, who discovered them, argues offer up an account hijack risk - but played down their significance.
Moore told El Reg potentially interlinked cross-site request forgery (CSRF/XSRF) and cross-site scripting (XSS) vulnerabilities have been present on the Asda Groceries site since at least March 2014, when he first reported it, if not before.
Moore provided a proof of concept in November 2015. The potential impact of the flaws is severe, according to Moore.
“There is no XSRF protection throughout the site. It's possible to remotely hijack any active account without knowing the username/password,” Moore told El Reg. “It's also possible to add/remove items to the basket from a remote site and ship to an alternative address, increasing the risk of fraud/identity theft.”
Moore has been engaged in dialogue with Asda for months. Asda removed the 40/56bit ciphers from its SSL configuration but all the other issues (session maintained over HTTP, CSRF and cross-site scripting [XSS]) remained vulnerable up until the start of this week, according to Moore.
Asda made some changes to its site over the weekend but this only blocked the initial vector of the XSRF attack rather than dealing with the root cause of the problem, according to Moore.
"Bottom line, if you happen to navigate to another tab/window while shopping, your ASDA account can be hacked and payment data stolen," Moore warned.
Moore has blogged about the issue here as well as uploading a video to YouTube.
On Monday the supermarket said it was in the process of rolling out a fix, which it was in the process of validating. An Asda spokesman said: “Asda and Walmart take the security of our websites very seriously and we review our systems and software regularly. The highlighted security issues are being dealt with and there is a very low risk to any customer information.”
Moore responded: “The risks associated with CSRF & XSS (on their own) are relatively low. However, it's unreasonable to claim that you ‘take the security of your websites very seriously’ and subsequently place 19 million transactions at unnecessary risk for nearly 2 years.”
XXS marks the spot
Cross-site request forgery (CSRF/XSRF) and cross-site scripting (XSS) are two of the most common classes of web vulnerabilities.
“It’s low risk compared to a SQL injection flaw but it could have a high impact,” Moore explained. “If it did happen, the data would go to an attacker's server directly.”
Asda would be able to see an attacker send the malicious payload to Asda’s site but as soon as that had been delivered, the supermarket would have no visibility.
An attacker would be altering the genuine Asda site before inviting potential marks to submit content to a hacker-controlled page presented under the banner of the legitimate retailer's site. A potential victim would see an address with a valid TLS certificate in this scenario. ®
There is a difference between reflected XSS (which needs a malformed link from another page/email every time) and stored XSS (S-XSS, the problem at hand on the Asda site) which means you only need deliver the payload once. “With stored XSS, I can delete the malicious payload from the blog as soon as it's delivered... the users account will remain hacked until Asda patch the exploit,” Moore explained.
Asda contacted us after the publication of the story to comment: "Asda and Walmart take the security of our websites very seriously. We are aware of the issue and have implemented changes to improve the security on our website." It stressed: "There is no evidence of any customer information being compromised as a result of these issues."