The firm claims that the flaw could have allowed attackers to harvest users’ personal details including names, shipping addresses and phone numbers. Furthermore, even the rights to alter product prices, delete goods, and even close the merchant’s shop on the site, could have been accessed by exploiting the flaw.
Erez Metula, founder of security firm, AppSec founder said-
We would describe this as critical as it can affect any merchant. Since this is a high-profile site like Alibaba, there are lots of shops there and people using it are also connected to other systems. Credit card details, however, were not exposed by the flaw.
AppSec immediately contacted Alibaba through emails and phone calls, but struggled to receive a proper response. However, AppSec chose to speak to local media regarding the issue and succeeded to gather Alibaba Group’s attention.
Alibaba said in an emailed statement-
We are aware of the issue and took immediate steps to assess and remedy the situation. We have already closed the potential vulnerability and we will continue to closely monitor the situation. The security and privacy of our customers is our highest priority and we will do everything we can to continue to ensure a secure trading environment on our platforms.
AliExpress allows Chinese merchants sell their goods to overseas consumers, mainly in Russia, Brazil, Spain and the U.S. Although AliExpress isn’t the main revenue generator for Alibaba, the site is growing on rising sales from international markets. AppSec Lab’s own researcher decided to investigate the platform’s security because he is a regular shopper on the site, Metula said.
Earlier, another Israeli researcher also claimed for the existence of a flaw in the AliExpress that could allow hackers to obtain shipping addresses of buyers on AliExpress without knowing their account passwords. Aliababa has initiated checking its other shopping platforms thoroughly for vulnerabilities and flaws.