Asda is one of the big four supermarkets in the UK. As well as having an online grocery store they have a sister site called Asda Gifts that sells days out and personalised items. The vulnerability described in this post exposed full names, phone numbers (if they had been added by the customer) and addresses for all account holders.
Like most online stores Asda Gifts has a page that lets customers add or edit their addresses. Multiple addresses can be added per account with each one having a unique ID. The page to edit an address is loaded via ajax and displayed in a popup on the main account page. The popups content (open in a separate tab) is shown below.
The ajax request to generate the popup content contained the parameter DeliveryDetailId. I decided to make a second account and try and access the address stored on my first account by its ID. It worked; the popups content was displayed normally with my address filled out in the form fields. Taking it a step further I signed out and tried to access it again while not logged in. It still worked. It turned out there were absolutely no authorisation checks occurring.
After creating an address on the second account I noticed its ID was only a few digits different from the first one. They were being assigned consecutively. Creating a script to scrape all addresses by iterating through the IDs would have been trivial. Judging by the ID of my address (727675) there are a lot of entries in the system.
Fortunately the data leak was fixed quickly. After reporting to Asda via email they responded within a day. It was patched on May 6th. When trying to visit the page in question a message is now displayed letting the user know they are not authorised to view the information.
- Reported: 4th May
- Acknowledged: 5th May
- Fixed: 6th May