While it continues to settle with credit card providers and victims of its 2013 breach, Target has experienced a new data security headache courtesy of a mobile app.
According to research from Avast, the Wish List app’s Application Program Interface (API) is easily accessible over the internet, does not require any authentication and can serve data to an attacker in a JSON file. “The only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated,” Avast researcher Filip Chytry said.
The JSON file it requested from Target’s API contained data such as users’ names, email addresses, shipping addresses, phone numbers, the type of registries used and the items on the registries.
Target later said that it had suspended elements of the app while developers investigate the problem.
The Avast researchers also analyzed another Christmas app from Walgreens and found it required a large number of unnecessary permissions, including permission to change audio settings, pair with Bluetooth devices, control the flashlight and run at start-up.