It Must Be Christmas: Because Target Is Losing Customers' Data. Again.

Sounds like some people are not going to have a relaxing holiday with the family. JL

Timothy Geigner reports in TechDirt:

Target app’s Application Program Interface (API) is easily accessible over the Internet. An API is a set of conditions where if you ask a question it sends the answer. The Target API does not require any authentication. The only thing you need to parse all of the data automatically is to figure out how the user ID is generated.
The season of Christmas is upon us. You can feel it everywhere, from the holiday decorations, to the television specials, to the waning interest in workplace productivity. Oh, yeah, and Target is back in the news for losing people's personal information again.

Hackers can access your personal information from Target -- again -- thanks to a flaw in the retailer's mobile app. In a blog post, researchers from security company Avast revealed the flaw, which allows unauthorized access to customers' addresses, phone numbers and other personal information from wish lists created with the Target app. The only merry tidings are that credit card numbers don't appear to be stored with the wish lists, so financial information isn't vulnerable.

This of course reminds shoppers everywhere of that time Target was the victim of a hack that resulted in the exposure of millions of customers' credit card information. That breach was so bad, and the news of it so well circulated, that Target set up a website page dedicated to telling customers all about it, assuring them not only that they wouldn't be responsible for any charges on those credit cards, but also assuring customers that the company was, like, super dedicated to security moving forward.

We are committed to making this right and are investing in the internal processes and systems needed to reduce the likelihood that this ever happens again. For example, we are accelerating our plans to put chip-enabled technology in our stores and on our Target REDcards by early 2015, six months ahead of our previous plan.

The vulnerability of the Target app, however, isn't something that could be prevented by a chip. It would have required something as technologically advanced as basic authentication, according to Avast, which published the vulnerability.

To our surprise, we discovered that the Target app’s Application Program Interface (API) is easily accessible over the Internet. An API is a set of conditions where if you ask a question it sends the answer. Also, the Target API does not require any authentication. The only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON file.

The JSON file we requested from Target’s API contained interesting data, like users’ names, email addresses, shipping addresses, phone numbers, the type of registries, and the items on the registries.

So much for all that dedication to security. Merry Christmas, Target shoppers!