Failures

by Timothy Geigner


Filed Under:
data breach, personal info

Companies:
target



It Must Be Christmas Time, Because Target Is Losing People's Personal Information Again

from the targeted-app dept

The season of Christmas is upon us. You can feel it everywhere, from the holiday decorations, to the television specials, to the waning interest in workplace productivity. Oh, yeah, and Target is back in the news for losing people's personal information again.

Hackers can access your personal information from Target -- again -- thanks to a flaw in the retailer's mobile app. In a blog post Tuesday, researchers from security company Avast revealed the flaw, which allows unauthorized access to customers' addresses, phone numbers and other personal information from wish lists created with the Target app. The only merry tidings are that credit card numbers don't appear to be stored with the wish lists, so financial information isn't vulnerable.
This of course reminds shoppers everywhere of that time Target was the victim of a hack that resulted in the exposure of millions of customers' credit card information. That breach was so bad, and the news of it so well circulated, that Target set up a website page dedicated to telling customers all about it, assuring them not only that they wouldn't be responsible for any charges on those credit cards, but also assuring customers that the company was, like, super dedicated to security moving forward.
We are committed to making this right and are investing in the internal processes and systems needed to reduce the likelihood that this ever happens again. For example, we are accelerating our plans to put chip-enabled technology in our stores and on our Target REDcards by early 2015, six months ahead of our previous plan.
The vulnerability of the Target app, however, isn't something that could be prevented by a chip. It would have required something as technologically advanced as basic authentication, according to Avast, which published the vulnerability.
To our surprise, we discovered that the Target app’s Application Program Interface (API) is easily accessible over the Internet. An API is a set of conditions where if you ask a question it sends the answer. Also, the Target API does not require any authentication. The only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON file.

The JSON file we requested from Target’s API contained interesting data, like users’ names, email addresses, shipping addresses, phone numbers, the type of registries, and the items on the registries.
So much for all that dedication to security. Merry Christmas, Target shoppers!


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    zboot (profile), 18 Dec 2015 @ 3:14pm

    Customers are asking for it

    They're named target. It's like being surprised to be kicked when you're hanging around the local Kick Me.

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 18 Dec 2015 @ 3:27pm

    And as soon as the ink is dry they can turn over all of this data.

    reply to this | link to this | view in chronology ]

  • icon
    madasahatter (profile), 18 Dec 2015 @ 4:23pm

    Targeting Target Shoppers

    Ironic name for a store, you shop with them you are a target.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Dec 2015 @ 2:09am

    I've gotten to where I have amnesia when stores ask for a name, phone number, or an email address. I swear I can't remember...

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Dec 2015 @ 6:10am

      Re:

      Individuals attempting to be anonymous will have their mug scanned and stored until a match is found in our facial recognition database.

      Then we can pass the savings on to you!

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 19 Dec 2015 @ 9:31am

        Re: Re:

        With all the tech that's spying on us it wouldn't surprise me if your couch is measuring your weight and evaluating your height and identifying you. If you weigh too much when you sit down you will get a targeted commercial ad telling you about this brand new weight loss program.

        If you lost weight you will get an add that says "congratulations, you lost five pounds! Do you know how you can lose even more weight? With this new and innovative diet program ..."

        If you gained weight you will get a commercial that says "Are you sick and tired of gaining weight. Do you need a new diet program? Well, we've got just the thing!!! ...."

        If you're under weight you will get relevant commercials.

        I need to be careful not to give these marketers any ideas, I can picture them reading this and drooling over the idea of implementing it.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 19 Dec 2015 @ 9:37am

          Re: Re: Re:

          Maybe what I need to do is start covering my couch, and everything in my house for that matter, with tin foil to make sure it's not spying on me ...

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Dec 2015 @ 9:27am

      Re:

      Exactly, see, I have this mental condition called selective memory.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Dec 2015 @ 6:09am

    Good thing CISA is law now, that should fix these issues right up!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Dec 2015 @ 8:40am

    "Target Is Losing People's Personal Information"

    I think you need to investigate the definition of lose.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Dec 2015 @ 9:25am

    "In a blog post Tuesday, researchers from security company Avast revealed the flaw, which allows unauthorized access to customers' addresses, phone numbers and other personal information from wish lists created with the Target app."

    Had it been an independent white hat hacker that revealed that there is a flaw he would have been crucified on a cross for potentially breaking all sorts of laws. But because it's a relatively big business with resources that can defend itself it's perfectly OK. Some justice system.

    reply to this | link to this | view in chronology ]

  • identicon
    annonymouse, 21 Dec 2015 @ 4:53am

    If you are worried about electronics hidden in non electronic devices just EMP the thing before you bring it home.

    Hmm. I see a market opportunity here. Delivery vehicles that are shielded and will kill all electronics buried in your purchases. House sniffing for unwanted surveillance equipment. Faraday cage briefcases and purses. ..... wait. ... someone beat me to those two.

    reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 21 Dec 2015 @ 8:53am

      Re:

      If you are worried about electronics hidden in non electronic devices just EMP the thing before you bring it home.

      Just? How do you "just" create an EMP?

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.