If you can’t afford a $600 product from an online store, why not change the price to $1? This is a typical decision customers to Alibaba’s online stores had to make on a daily basis that is, before a vulnerability discovered by Israel cyber security researchers was patched.
The security flaw allowed a malicious hacker to alter the shipping address and have purchased product delivered directly to them therefore compromising the security of millions of merchants and shoppers to the Chinese online store.
“If I want to buy a $600 phone, I can change the price to a dollar and buy it,” said AppSec founder Erez Metula said. “I can see what people have bought, I can change the shipping address so things can be sent to me instead.”
The vulnerability, first reported on Israel channel 10 TV, was discovered by, Barak Tawily, a 21 year old researcher at AppSec Labs. He however said the flaw was yet to be exploited on a large scale, so not a cause for alarm.
The security flaw comes in the wake of almost a similar vulnerability that that compromised personal account information of Alibaba customers. The flaw, discovered by Cybermoon security firm was fixed shortly after Cybermoon founder Amitay Dan notified Alibaba.
While acknowledging the vulnerabilities, Alibaba spokeswoman Molly Morgan said on Tuesday that all “potential vulnerabilities” on Alibaba’s ecommerce platforms have been fixed. She further assured shoppers that the company will continue doing everything possible to ensure a “secure trading environment on its platforms.”
Alibaba operates successful ecommerce platforms, with two of its online stores, Tmall and Taobao curving a whopping 84% market share in China. The company is expanding to other sectors including health, online insurance and travel booking, after a successful IPO in New York stoker exchange that raise over $25 billion. Industry analysts expect Alibaba’s smartphone OS, YunOS to garner a larger market share after a speculated partnership with Chinese smartphone makers such as Xiaomi and Coolpad.
Alibaba is also in talking terms with Apple for a possible partnership in processing payment through its online payment service Alipay, as reported by Chinese media. The deal will enable over 300 million Alipay users in China to authenticate their accounts using a fingerprint sensor in iPad through a recently updated Alipay iOS App.
(Security Affairs – Alibaba, hacking)
The post firstly published on Security Gladiators at this URL http://securitygladiators.com/2014/12/11/alibaba-group-site-vulnerabilities-israel-security-experts/