Despite the prevalence of operational defense organizations, glaring holes in safety are often found. Just recently, one of these could have uncovered private information of millions of people – if it wasn’t for a shrewd app safety researcher. Serious, but easily exploitable personal information exposé susceptibility has been found out in the extremely renowned online marketplace – AliExpress website.
AliExpress is a trade site that sells products at low prices. It is an online marketplace owned by the giant business to business electronic commerce market which is massive in the Far East, often called the Amazon of China – Alibaba. It has more than three hundred million active users from more than two hundred countries and regions. The chain is valuable for users as it lets them order goods in bulk at cheap wholesale prices.
The accurate figure of the number of users of AliExpress is unknown, but it could be somewhere within a hundreds of millions users who are not only based in Far East but also in the Western hemisphere.
A deceitful hacker could have gotten its hands on millions of personal contact details by launching a computerized script. AliExpress was alerted about this budding vulnerability – the website makers soon committed to recovering the fault within a few hours of notification. However, it was Amitay Dan, an Israeli app safety researcher working at Cybermoon.cc, who found the flaw within the AliExpress website system. The vulnerability, exposed by The Hacker News, was in the address bar. It displayed details of a user logging in to add or updating their shipping address. This was easily gullible. It just necessitated the changing of some numbers in the address bar to show random mailing addresses and private numbers.
According to the Proof of Concept video and screenshots given by Amitay Dan to The Hacker News, AliExpress website permits logged in customers to add or update their shipping address and private numbers at the URL given:
http://trade.aliexpress.com/mailingaddress/mailingAddress.htm?mailing AddressId=123456
“123456” is the user id of the customer who is logged on. Dan noticed that just by shifting the value of “mailing AddressId” to another value, one could conveniently exploit the confirmation flaw of the website to uncover the Mailing Address and confidential data of the user on the same website page.
Therefore, an attacker could have simply got a hold of private information of millions of AliExpress users just by using a mechanized script to crawl ‘mailing Address.htm’ page for all likely numbers – 1 to 99999999999 – as the ‘mailing AddressId’ value.
Dan reported the susceptibility to The Hacker News after providing full details of the loophole to the AliExpress team and the Israeli media.
The flaw in the system shows just how susceptible many websites have become despite all necessary security measures taken before the website becomes active. It also sends an important message to the owners of these websites and to the users – it is imperative to ascertain that personal details of all kinds are always protected.