{"id":78767,"date":"2015-12-30T20:55:11","date_gmt":"2015-12-31T01:55:11","guid":{"rendered":"http:\/\/rbachnet.wwwmi3-ss40.a2hosted.com\/index.php\/"},"modified":"2021-07-31T21:22:13","modified_gmt":"2021-08-01T01:22:13","slug":"target-wish-list-leaks-your-info","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/target-wish-list-leaks-your-info\/","title":{"rendered":"Target Wish List Leaking Your Data"},"content":{"rendered":"

\"Target<\/a>The holiday shopping season has not been merry for mega-mart Target<\/strong>. You would think the mega-retailer<\/strong> that leaked info on 110 million customers<\/strong> would learn how to keep their customers’ info secure but NOOOO<\/strong>. The anti-virus firm AVAST<\/a><\/strong> has discovered<\/a> the Target<\/a> <\/strong>(TGT<\/a>) Wish List app<\/a><\/strong> is leaking<\/strong> your data, your personally identifiable information (PII<\/a>)<\/strong>.<\/p>\n

\"Data<\/a>The Avast Blog says that if you created a Christmas wish<\/strong> list using the Target app it is leaking your data.\u00a0 it might be accessible to more people than you want to actually receive gifts from. The Target app keeps a database of users\u2019 wish lists, names, addresses, and email addresses.<\/strong><\/p>\n

Alarmingly, for a firm that has privacy issues, the Target app\u2019s backend<\/strong> interface is not secured. <\/strong>This allowed the database to be accessed over the Internet<\/strong>. The author reports that the Application Program Interface<\/a> (API<\/strong>) is easily accessible over the Internet. An API is a set of conditions where if you ask a question it sends the answer. Also, the Target API does not require any authentication<\/strong>. The only thing you need to parse all the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON<\/a> file<\/strong>.<\/p>\n

Leaking your data<\/h3>\n

\"while<\/p>\n

The JSON file that the AVAST researchers requested from Target\u2019s API leaked lots of interesting data. The leaked data included: users\u2019 names, email addresses, shipping addresses<\/strong>, phone numbers, the type of registries, and the items on the registries. The AVAST researchers did not store any PII, but they did aggregate data from 5,000 inputs for statistical analysis.<\/p>\n

The AVAST researchers took the sample and looked at which some of the data they got. It included; brands, states the Target app users are from, and the most common names of people using Target\u2019s app.<\/p>\n

\"Leasked<\/a><\/p>\n

This appears to be a classic case of security by obfuscation<\/a>.<\/strong> The app developers created the online API for data that is uploaded by Target.<\/strong> They also set up a separate API in tandem so that the retail chain could download and process the uploaded data \u2013 but without any security measures in place.<\/p>\n

\"Target<\/a>In a post<\/a> on Ars Technica<\/em><\/a>, a Target spokesperson said that it has suspended elements of the app while developers investigate. Hopefully, this should mean that the data-leaking has stopped while the backend has been disabled.<\/p>\n

In other Target data breach news FierceITSecurity<\/em><\/a> reports<\/a> that Target has reached a $39.4 million settlement<\/strong> with banks and credit unions over claims they lost millions of dollars as a result of the massive 2013 data breach<\/strong> at the retailer. The massive data breach at Target exposed the credit and debit card numbers of 40 million customers to hackers and personal information on another 70 million.<\/p>\n

The settlement, if accepted, will resolve class-action lawsuits by the banks and credit unions seeking reimbursement for fraudulent charges and issuing new cards. Of the $39.4 million, $20.25 million will be paid to banks and credit unions, and $19.11 million will be paid to reimburse MasterCard<\/a> card issuers.<\/p>\n

\"cautionary<\/a>This follows settlements that Target reached with Visa card<\/a> issuers for $67 million<\/strong> and with customers for $10 million<\/strong>. Target estimated that the breach so far has cost it $290 million, with insurers picking up $90 million, according to a filing with the Securities and Exchange Commission<\/a> last week. Target is not out of the woods yet. It still has to deal with shareholder lawsuits<\/strong> and a probe by the Federal Trade Commission<\/a><\/strong> and state attorneys general<\/strong> related to the data breach.<\/p>\n

Fred Donovan at FierceITSecurity<\/em> says Target is a cautionary tale for any enterprise. Despite handling billions of dollars in credit card transactions, the retailer did not have one person responsible for IT security<\/strong> at the time of the breach. While it had a network security system in place, it did not<\/strong> have IT security personnel skilled enough to recognize an alarm<\/strong> the system set off months before<\/strong> Target discovered the breach.<\/p>\n

rb-<\/em><\/strong><\/p>\n

Cash is king, especially at Target.<\/em><\/p>\n

Related articles<\/h6>\n