Asda website flaw left payment details of customers at risk for two years

News
By
published

Close to 20 million transactions were potentially at risk

Asda supermarket

Asda is under fire because of its slow response to a vulnerability in the supermarket's website which could have potentially spilled customer details to malicious parties.

Indeed, the flaw was present since at least March 2014 – almost two years ago – when a security expert, Paul Moore, first spotted it and reported the issue to Asda.

Moore told the BBC that as the Asda website (actually run by Walmart) deals with in excess of 200,000 orders every week, some 19 million transactions were potentially in danger of being compromised.

The vulnerability was a combination of cross-site scripting (XSS) and cross-site request forgery (CSRF) exploits, meaning that a user with the supermarket's site open in one tab, and a second tab open with a malware-laden site, could have their details including payment information compromised.

Patience ran out

Moore noted that Asda was hardly alone in being vulnerable in this respect, but criticised the organisation for its sluggishness of response.

In a blog post, he wrote: "Back in March 2014, I contacted Asda to report several security vulnerabilities and despite a fix promised 'in the next few weeks', little appears to have changed."

He then pointed to a tweeted reply from the Asda Service Team from last week in which he was advised: "All of our sites are secure, I would advise using Chrome."

Moore added: "After 677 days and several tweets along a similar vein, my patience has finally run out," before fully outlining the issue in a detailed blog post.

Asda has now fixed the flaw, and told the BBC: "Asda and Walmart take the security of our websites very seriously. We are aware of the issue and have implemented changes to improve the security on our website.

"The points flagged pose a low risk to customers and our monitoring of these security issues indicate that no customer information has been compromised over that two-year period."

Just last week, eBay was also accused of a slow response to a critical vulnerability, and the security researcher who uncovered that lamented the fact that big companies are only quick to respond to problems when the media get wind of them.

Darren Allan

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).

Latest in Pro
An abstract image in blue and white of a database.
Planning ahead around data migrations
Artificial Intelligence
Amazon is apparently going all-in on agentic AI
Cloud, networking and internet
Under the hood of data sovereignty
A business woman looking at AI on a transparent screen
Businesses are facing an "AI Divide" - which could be the difference between success and failure
Apple Vision Pro with Dassault Systèmes 3DEXPERIENCE platform
Dassault Systèmes teams up with Apple to use Vision Pro headsets to bring spatial CAD to life
A graphic showing fleet tracking locations over a city.
Lost & Found tracking site hit by major data breach - over 800,000 could be affected
Latest in News
Close up of PS5 DualSense controller leaning on a PS5
Sony goes full Xbox Insider with new Beta Program at PlayStation initiative, offering the testing of new games and features before release
Artificial Intelligence
Amazon is apparently going all-in on agentic AI
Google Gemini iPhone Lock Screen
You can now access Gemini from your iPhone's lock screen
Michelle, Keats, and Doctor Amherst looking unimpressed and worried in The Electric State
Netflix drops trailer for The Electric State, and I'm getting serious District 9 vibes
YouTube TV
YouTube TV might be planning a big Netflix update that puts the best streaming services first
Google Pixel 9 Pro
Here are the 7 best Pixel 9 and Pixel Watch 3 features landing in March’s Pixel Feature Drop
More about pro
Artificial Intelligence

Amazon is apparently going all-in on agentic AI
An abstract image in blue and white of a database.

Planning ahead around data migrations
Close up of PS5 DualSense controller leaning on a PS5

Sony goes full Xbox Insider with new Beta Program at PlayStation initiative, offering the testing of new games and features before release
See more latest
Most Popular
Close up of PS5 DualSense controller leaning on a PS5
Sony goes full Xbox Insider with new Beta Program at PlayStation initiative, offering the testing of new games and features before release
Artificial Intelligence
Amazon is apparently going all-in on agentic AI
A collage of Daredevil in Daredevil: Born Again and Tom Holland's Peter Parker in Spider-Man: Far From Home
Daredevil: Born Again episode 2 just gave me hope that the titular hero will join forces with Spider-Man in the MCU, but it won't happen on Disney+
Circular Ring 2
The Circular Ring 2 solves a crucial smart ring problem, and it's available to pre-order now
HTC Viverse
The company formerly known as HTC is doubling down on immersive worlds, AI, spatial computing and ... 6G?
A business woman looking at AI on a transparent screen
Businesses are facing an "AI Divide" - which could be the difference between success and failure
Google Gemini iPhone Lock Screen
You can now access Gemini from your iPhone's lock screen
Apple Vision Pro with Dassault Systèmes 3DEXPERIENCE platform
Dassault Systèmes teams up with Apple to use Vision Pro headsets to bring spatial CAD to life
Samsung 18.1-inch foldable OLED monitor
Samsung has launched a flexible portable monitor complete with a briefcase, one that seems to come straight from a James Bond movie
GenMachine Zhi mini pc
This is the smallest AMD PC I've ever seen: mysterious manufacturer uses Ryzen 3 APU with surprising results