X

Target back on naughty list with another security vulnerability

Did you make a wish list on Target's mobile app? Well Ho ho ho, your phone number and address are publicly accessible thanks to a newly discovered flaw.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
See full bio
Laura Hautala
2 min read

Researchers at Avast say they were able to call up personal information from Target's mobile app wish-list feature.

 John Greim/Loop Images/Corbis

Hackers can access your personal information from Target -- again -- thanks to a flaw in the retailer's mobile app.

In a blog post Tuesday, researchers from security company Avast revealed the flaw, which allows unauthorized access to customers' addresses, phone numbers and other personal information from wish lists created with the Target app. The only merry tidings are that credit card numbers don't appear to be stored with the wish lists, so financial information isn't vulnerable.

If this sounds familiar, it's because last year we learned that hackers breached Target's systems and stole the credit card information of up to 70 million customers. Though hackers have the opportunity to steal the wish list information right now, Avast researchers have found only that it would be possible. It's unknown whether the security hole has been exploited.

The wish list information was still vulnerable to hacking as of Tuesday afternoon, according to an Avast representative who added that the company hadn't notified Target of the problem. The representative didn't immediately respond to a follow-up question about why Avast hadn't informed the retailer of the flaw.

Target disabled elements of its wish list app Tuesday evening after being informed of the vulnerability, said a spokeswoman for the Minneapolis, Minnesota-based retailer.

"We apologize for any challenges guests may be facing while trying to access their registry," Molly Snyder, a communications manager at Target, said in a statement. "Our teams are working diligently overnight to resume full functionality."

Avast said Tuesday it discovered the flaw while examining the security and privacy levels of various mobile buying apps. During their examination, researchers looked at what permissions were granted users, in addition to trying to hack the apps.

As if shopping on mobile phones wasn't vexing enough, the discovery shows that some major shopping apps don't have security or privacy nailed down.

On the privacy side, researchers at Avast singled out the Walgreens shopping app for requesting user permissions that had nothing to do with the app's purpose. That means it could be collecting information you never meant to share with your friendly neighborhood drugstore.

Walgreens spokeswoman Mailee Garcia said the permissions cited by Avast were in fact related to the app's purpose.

"For example, these include our Refill by Scan feature, which requires a smartphone camera; telehealth services and consultations, which require a microphone... and connection of personal fitness devices, which require Bluetooth," Garcia said. "Any suggestion that our app's permissions are unrelated to its purpose are inaccurate."

However, Avast researchers said this level of permissions wasn't half bad.

"In fact, compared to other apps out there they are decent," wrote Avast researcher Filip Chytry.

Well, fa la la la la.

Updated 12/15 10:25 p.m. PT with Target statement.

Updated 12/16 at 3:26 p.m. PT with Walgreens statement.