Researchers have found that the entire web could potentially view the holiday wishlists and personal information of Target app users.
Avast security researcher Flip Chytry explains in a blog post how Avast randomly chose Home Depot, J.C. Penney, Target, Macy’s, Safeway, Walgreens, and Walmart as part of a study in order to determine what kinds of information major retailers’ apps collect about their users and the types of permissions they commonly request.
Much of the post is dedicated to the Target app, which according to Avast’s review maintains a database of users’ wishlists and personal information. This database, Chytry explains, is potentially viewable beyond friends, family, and Santa Claus, however.
“To our surprise, we discovered that the Target app’s Application Program Interface (API) is easily accessible over the Internet. An API is a set of conditions where if you ask a question it sends the answer. Also, the Target API does not require any authentication. The only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON file.”
The file contained customers’ names, email addresses, shipping addresses, phone numbers, registry types, and items on the registries.
Using this information, Avast was able to determine that Gerber and Munchkin were the two top brands on Target app users’ registries; most of the app users lived in Florida, Texas, and California; and (for some reason) the top 8 names mainly began with the letter “J”, with Jasmine in first place at 162 users, followed by Jamie (132), Jessica (79), Ashley (67), Jackie (67), Jordan (64), Amanda (58), and Jennifer (55).
Patrick Dorn, a spokesman for Avast, expressed to the Star Tribune what are likely to be common concerns about the Target app’s lax attitude to privacy:
“You should be able to get your list of gifts out to a specific group of people who you want to see it. But all your personal information shouldn’t be accessible to anyone who wants to go in and hack in there… I do feel uncomfortable when I find that my information can be easily accessible to somebody… It’s kind of building a profile on you.”
Avast’s discovery, which came out around the two-year anniversary of the Target breach that compromised 40 million customers’ credit card details, has since prompted the retailer to suspend elements of the app while developers investigate, reports Ars Technica.
“We apologize for any challenges guests may be facing while trying to access their registry,” Molly Snyder, a communications manager at Target, said in a statement. “Our teams are working diligently overnight to resume full functionality.”
Avast’s post does not explain its findings regarding all of the apps it examined. It does single out Walgreens’ app, however, for requesting a ridiculous amount of permissions, including the ability to change your audio settings, pair with blue tooth devices, control your flashlight, and run at startup.
This holiday season, it might be a good idea to just call up your friends and family and tell them what you want for a gift. But if you really want to use an app to do so, please make sure you’re not agreeing to sharing too much information, or handing over too much power to an app.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.