AliExpress patches account mass harvesting flaw

Global threads bazaar AliExpress, an offshoot of global tat bazaar AliBaba, has patched a URL flaw that allowed attackers to harvest users' personal details including names, shipping addresses and phone numbers.

The insecure direct object reference vulnerability reported by an unnamed researcher affected 7.7 million logged-in users for AliExpress, the online retail wing of AliBaba that's the most visited e-commerce site in Russia.

Security researcher Amitay Dan demonstrated the flaw to news site The Hacker News, noting that attackers could harvest personal data en masse using a script to pull the 'mailingAddress.htm' page for numbers between 1 to 99,999,999,999 under the 'mailingAddressId' value.

Enterprising internet scum could use the details for targeted phishing attacks mimicking AliExpress emails in a bid to steal logins and other payment information.

AliBaba was not immediately available for comment regarding evidence of attacks.

Subsequent tests by this reporter failed, indicating AliExpress had fixed the flaw.

Direct object references are a class of programming flaw that provide access to database objects via user input in the URL, bypassing bypassing user authentication. That means a bash script and curl is all an attacker needs to build their own database of targets.

Insecure direct objects were awarded fourth spot on the Open Web Application Security Project's Top Ten critical flaws on both the 2010 and most recent 2013 lists.

Admins could test for the flaw by mapping out application locations and tinkering with inputs for object references. ®