Asda website flaw left payment details of customers at risk for two years

Close to 20 million transactions were potentially at risk

Asda supermarket

Asda is under fire because of its slow response to a vulnerability in the supermarket's website which could have potentially spilled customer details to malicious parties.

Indeed, the flaw was present since at least March 2014 – almost two years ago – when a security expert, Paul Moore, first spotted it and reported the issue to Asda.

Moore told the BBC that as the Asda website (actually run by Walmart) deals with in excess of 200,000 orders every week, some 19 million transactions were potentially in danger of being compromised.

The vulnerability was a combination of cross-site scripting (XSS) and cross-site request forgery (CSRF) exploits, meaning that a user with the supermarket's site open in one tab, and a second tab open with a malware-laden site, could have their details including payment information compromised.

Patience ran out

Moore noted that Asda was hardly alone in being vulnerable in this respect, but criticised the organisation for its sluggishness of response.

In a blog post, he wrote: "Back in March 2014, I contacted Asda to report several security vulnerabilities and despite a fix promised 'in the next few weeks', little appears to have changed."

He then pointed to a tweeted reply from the Asda Service Team from last week in which he was advised: "All of our sites are secure, I would advise using Chrome."

Moore added: "After 677 days and several tweets along a similar vein, my patience has finally run out," before fully outlining the issue in a detailed blog post.

Asda has now fixed the flaw, and told the BBC: "Asda and Walmart take the security of our websites very seriously. We are aware of the issue and have implemented changes to improve the security on our website.

"The points flagged pose a low risk to customers and our monitoring of these security issues indicate that no customer information has been compromised over that two-year period."

Just last week, eBay was also accused of a slow response to a critical vulnerability, and the security researcher who uncovered that lamented the fact that big companies are only quick to respond to problems when the media get wind of them.

Article continues below