Asda website bug put sensitive customer info at risk for over two years

A glitch on Asda’s website put the personal information of millions of consumers at risk over the past two years.

The Walmart-owned supermarket chain processes hundreds of thousands of online orders every week and could have put millions of customers at risk because of a security flaw.

Security expert Paul Moore told the BBC that he first notified Asda about the problem in March 2014.

Asda said that the company takes the security of its websites very seriously, is aware of the issue, and has implemented changes to improve the security of its website.

Asda says that there’s no evidence to suggest unauthorized access to the personal details of its customers.

The supermarket chain added that there is no evidence to suggest that customer information was compromised over the two-year period.

The retail giant has worked on improving its security since Mr Moore went public with the information.

“The small risk to customer information has been removed and an update has been applied, we’re now adding further enhancements which will be completed by this evening. In short, one of the two issues is fixed but nothing that remains poses any risk to any customer information or card details,” Asda told the BBC.

According to Mr. Moore, the flaw was due to a combination of cross-site scripting (XSS) and cross-site request forgery (CSRF) which can give cyber criminals access to sensitive information of customers.

“CSRF exploits the trust a site has in the user’s browser, allowing an attacker to issue requests on your behalf and from your own PC. XSS allows an attacker to embed malicious content into the page to alter anything and everything the user can see,” he told the BBC.

“Back in March 2014, I contacted Asda to report several security vulnerabilities and despite a fix promised ‘in the next few weeks’, little appears to have changed,” he said.

“Asda also failed to issue adequate security headers which help mitigate the risk by instructing the browser to discard content which ASDA deem malicious or unnecessary. The majority of modern browsers support content security policy (CSP) which effectively blocks this type of attack, but very few sites adopt this technique,” he added.

When he published his blog, he advised users “to shop elsewhere”.

“Asda/Walmart have had ample opportunity to fix these issues and have failed to do so. If you must continue shopping with Asda, open a private window and do not open any other tabs or windows until you’ve logged out,” he added.