Enumeration bug offers five-finger discount on Woolworth Australia loyalty points

Points redemption apps are off their trolley - they accept random card numbers

9 Reg comments Got Tips?

The Register has been alerted that Australian retailer Woolworths' customer loyalty points can be filched thanks to a user enumeration bug.

A reader alerted us to the simplest user enumeration hole imaginable: you only need to know how Woolworths Rewards numbers are put together. In other words, pick up a card at any Woolworths supermarket, or the many affiliates that use its loyalty scheme, and you have a starting point.

As is outlined in various shopper forums (here at OzBargain for example), the company's smartphone apps, designed to check your own rewards accumulation, lets you input any card number.

That means an attacker can plug in number after number until they find account that's accumulated decent rewards, program that number into a redemption app like Stocard, and claim the rewards as their own. As Woolworths rewards can be redeemed for discounts at the point of sale, the bug will deprive some users of cash.

Following The Register's inquiry, a Woolworths spokesperson e-mailed us the following response:

“At Woolworths we work hard to ensure our customers' shopping experience is efficient, seamless and importantly, safe and secure.

“We are monitoring customer feedback and - although our investigation shows there is no issue with the functionality and security of the Woolworths Money App - we are reviewing how the App experience can be better improved to provide further assurances for customers.

“We take our obligations in relation to customer data very seriously, and have robust controls in place to ensure customer expectations of privacy and security are met.

“We have a continuous program of security enhancements and our apps are constantly reviewed for any improvements in functionality and security.

“If customers require further information please contact us on 1300 767 969.” ®


Biting the hand that feeds IT © 1998–2020