Target’s app database exposed, leaks major personal data

The security firm was able to discover the loophole after it examined the privacy and security levels of various mobile apps used by customers on a daily basis. In the case of one such app from retailing giant Target, it’s more than happy to make those details public.

According to their research, the Target Android app comes with an API (Application Program Interface) that the developers failed to properly protect.

Avast said that although they accessed the personal information, they did not store any of it since they were just using it for statistical analysis.

Since the Target app handles lots of private information, this is a serious security lapse, which the Avira researchers exploited to gain access to information about 5,000 Target users.

The cybersecurity software company said it was surprised to find that Target’s app was so easily accessed. “An API is a set of conditions where if you ask a question it sends the answer”, Avast president of mobile and cybersecurity expert Flip Chytry wrote on the Avast blog Tuesday. The difference between them and Target is that Target forgot to protect the API by authenticating users who can query for information.

Using an app to create your holiday wish list seems like a safe enough thing to do.

After Target was informed about the vulnerability, the big box retailer disabled those components of its wish list app to mitigate any future hacking possibilities. “Once you have that figured out, all the data is served to you on a silver platter in a JSON file”. That data included users’ names and phone numbers, emails and shipping addresses, as well as the type of registries and the items on them.

“Recently, the Avast Security Warriors began looking into shopping apps to see what your favorite retailers know about you”.

As a side note, Avira said that during their investigation, by far, the Walgreens Android app requested the highest number of unnecessary permissions of all the tested apps, with the Home Depot app coming in a close second. It does single out Walgreens’ app, however, for requesting a ridiculous amount of permissions, including the ability to change your audio settings, pair with blue tooth devices, control your flashlight, and run at startup.