AliExpress is a wholesale online market part of the Chinese Alibaba Group. It has been established in 2010 and is one of the most visited in Russia.
According to Chinese Internet News – a leading news source of China news across various industries – AliExpress has almost doubled Alibaba Group’s sales volume in Q3 of 2014. It has reached the tremendous revenue of 55 million dollars or 68 million in Euros.
The retailer reached a sales volume of about 9,3 billion dollars or 7,532 billion Euro on 11th November, 2014 – the day of the biggest online sale in China. Almost half of the deals were on mobile devices, the amount of sales almost doubling those of the Black Friday ones, proudly announced Alibaba’s e-commerce division Alizila.com on Twitter.
Researchers recently found that possible vulnerability in the AliExpress online store may put thousands of its customers at risk. The vulnerability gives the crooks possibility to steal personal information from AliExpress users. It has been found in the “mailingAddressId” parameter ID which is a feature allowing AliExpress customers to communicate with each other.
Researchers have discovered that the shipping address of an order can be changed within the “mailingAddressId” URL. Placing another shipping address the system reveals an entirely different AliExpress user account. That includes name, country, town / city, address and phone number of the user. Luckily only these are the parameters that could be revealed, there is no user sensitive data like financial information or email addresses. The vulnerability appears because the AliExpress website does not have additional access verification module for users entering the site.
Although the information is not strictly confidential, it could be still used by crooks for frauds. The phone number and the name of the victim would be enough to initiate a telephone scam for example.
Alibaba developers have been informed for the vulnerability, but it seemed they did not take any action at first. Now, however, trying to change parameters within the “mailingAddressID” string users see a page stating “your account has not been authorized to undertake such actions”.