Ali Express Vulnerability Disclose Millions of User's Information

ecommerce security, data leakage, Disclose Millions Users Information, Ali Express Vulnerability, Ali Express security, hacking ecommerce site, hacking online shopping sites, Ali Express users data, security of ecommerce
One of the popular E-Commerce websites AliExpress which is owned by Alibaba.com suffers from a simple but critical User information disclosure vulnerability. The vulnerability is critical as it can expose any user's information without having the victim's account passwords.

The site having 300 million active users from almost all over the world suffers from information disclosure vulnerability that puts millions of users' information at risk.

An Israeli application security researcher Amitay Dan has discovered a critical vulnerability on Ali Express, The Researcher has reported the flaw to Ali Express and also provided the full disclosure of the vulnerability to Israel media and THN.

For a better explanation of the bug, Amitay has provided a video demonstration of the vulnerability which explains the details information about the flaw. 

Due to some reason, demonstration video of the vulnerability has been deleted

According to the video Proofs-Of-Concept of the flaw, Ali Express allows logged users to add/update their shipping address and contact number at the following URL i.e. http://trade.aliexpress.com/mailingaddress/mailingAddress.htm?mailingAddressId=123456
and here 123456 is the user ID. Researcher Amitay has changed the value of the mailingAddressId parameter with random digits, and this manipulation of the user's ID leads to the exposure of the user's information.

Ali Express site failed in validation and thus shows the respective users' details on the same page. This was simple but was very critical as attackers can grab the personal information of millions of users just by randomly changing the User ID. 
Read Also
Post a Comment