CYBER NEWS

AliExpress Experienced Glitch in Security

AliExpress is a wholesale online market part of the Chinese Alibaba Group. It has been established in 2010 and is one of the most visited in Russia.
According to Chinese Internet News – a leading news source of China news across various industries – AliExpress has almost doubled Alibaba Group’s sales volume in Q3 of 2014. It has reached the tremendous revenue of 55 million dollars or 68 million in Euros.

The retailer reached a sales volume of about 9,3 billion dollars or 7,532 billion Euro on 11th November, 2014 – the day of the biggest online sale in China. Almost half of the deals were on mobile devices, the amount of sales almost doubling those of the Black Friday ones, proudly announced Alibaba’s e-commerce division Alizila.com on Twitter.

The Glitch

Researchers recently found that possible vulnerability in the AliExpress online store may put thousands of its customers at risk. The vulnerability gives the crooks possibility to steal personal information from AliExpress users. It has been found in the “mailingAddressId” parameter ID which is a feature allowing AliExpress customers to communicate with each other.

Researchers have discovered that the shipping address of an order can be changed within the “mailingAddressId” URL. Placing another shipping address the system reveals an entirely different AliExpress user account. That includes name, country, town / city, address and phone number of the user. Luckily only these are the parameters that could be revealed, there is no user sensitive data like financial information or email addresses. The vulnerability appears because the AliExpress website does not have additional access verification module for users entering the site.

Although the information is not strictly confidential, it could be still used by crooks for frauds. The phone number and the name of the victim would be enough to initiate a telephone scam for example.

Restrictions

Alibaba developers have been informed for the vulnerability, but it seemed they did not take any action at first. Now, however, trying to change parameters within the “mailingAddressID” string users see a page stating “your account has not been authorized to undertake such actions”.

AliExpress Experienced Glitch in Security

Avatar

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...