Vulnerability in AliExpress shopping portal

[German]The shopping portal AliExpress of the Chinese AliBaba Group has been hackable by a simple trick. Important customer credit card data could be accessed directly from criminals. The vulnerability has been fixed now.


Advertising

With more than 100 million customers and $23bn in revenue worldwide, AliExpress, part of the AliBaba Group, is one of the most popular places to shop online. However, cyber-criminals targeting online shoppers enjoying the run up to the Black Friday and Christmas holidays this year could be trying to take advantage of that innocence. Researchers at Check Point recently discovered that criminals have a new way to trick merry online shoppers via the massively popular AliExpress shopping portal.

  • The new vulnerability allows criminals to target AliExpress users by sending them a link to an AliExpress web page containing malicious Javascript code. Upon opening the page, the code is executed in the user's web browser and thereby bypasses AliExpress's protection against cross-site scripting attacks by using an open redirect vulnerability on the web site.
  • The attackers could then present a pop-up coupon offer on the home screen – running under an AliExpress owned subdomain – asking customers to provide credit card details to allow for a smoother and more efficient shopping experience.

Fake AliExpress site
(Fake AliExpress site, source: Check Point)

The attackers, however, are solely controlling this pop-up window with all credit card details entered sent directly to them rather than the shopping site. Theoretically, cyber criminals could initiate this attack through an email phishing campaign.

After discovering the vulnerability, Check Point Researchers immediately informed AliExpress who, due to their very serious approach to cybersecurity, took swift action and fixed it within two days of notification. More details may be found at this report.


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *