A programming flaw in the code of popular online marketplace AliExpress, which connects small Chinese businesses with international buyers and has over 7.7 million registered users, has endangered each and every one of them as it could reveal their names, shipping addresses and phone numbers to anyone who knew where to look.
Discovered by Israeli security researcher Amitay Dan, the insecure direct object reference vulnerability in question has been reported to the company behind the site – Chinese e-commerce giant Alibaba – and has been fixed.
The vulnerability allowed any logged-in user to access the aforementioned information about all the other users by simply changing the value of the “mailingAddressId” parameter on the URL of the mailingAddress.htm page where this information is inputed and changed.
After sharing this information with the company and Israeli media, he also demonstrated the attack for The Hacker News, which confirmed the existence of the flaw.
By creating an automated script that would repeated crawl the page after changing the value of the “mailingAddressId” parameter to all possible numbers between 1 and 99,999,999,999, an attacker could have easily created a huge trove of information that could be used for scams and frauds, or sold on to other crooks.
Perhaps someone did so already, who knows?
The only good news about this is that an attacker could not access the users’ login credentials and financial information. Unfortunately, for skillful scammers, a name and phone number is often more than enough.