Alibaba Group has patched a major security vulnerability in one of its e-commerce portals that exposed account details of tens of millions of Merchants and shoppers to cyber criminals.
An Israeli application security firm, AppSec Labs, found a Cross site scripting (XSS) vulnerability in AliExpress, the company’s English language e-commerce site that was found vulnerable to similar flaw a week ago that compromised personal information of Alibaba customers. The flaw was fixed shortly after Cybermoon security firm disclosed it to Alibaba.
AliExpress is an online marketplace owned by Chinese E-Commerce giant Alibaba.com, also known as Google of China. The company serves more than 300 Million active users from more than 200 countries including the U.S., Russia and Brazil. But the critical vulnerability found by the researcher could allow an attacker to hijack merchant’s account.
Using AliExpress XSS vulnerability an attacker can inject any malicious payload script as value into the message parameter, and when the seller will browse to the message center in AliExpress website using his account, the malicious script will be executed on his browser. XSS Payload can be lead to several attacks such as perform actions on behalf of a seller, phishing attacks, steal the victim’s sessions identifier, etc.
The vulnerability was discovered by Barak Tawily, a 21 year old Application security researcher at AppSec Labs. Exploiting the vulnerability allowed him to change product prices, delete goods, and even close the merchant’s shop on the site.
Barak has also provided a Proof-of-Concept (PoC) video to The Hacker News via an email, explaining the full hack attack on AliExpress website, which you can watch below:
"Skilled hacker might exploit this vulnerability and perform ranged attack by sending malicious messages to all AliExpress sellers and will cause a huge damage to AliExpress website," Tawily said.
AppSec Labs immediately reported the vulnerability to the the Chinese e-commerce giant, Alibaba team through emails and phone calls, providing full details of the flaw. The company didn’t respond immediately, but last week, when AppSec Labs spoke to the Israeli media about the issue, Alibaba contacted the security firm.
The vulnerability has now been patched by the company and it is urging its customers to update their accounts immediately.
"We are aware of the issue and took immediate steps to assess and remedy the situation," said Candice Huang, manager of International Corporate Affairs for Alibaba Group. "We have already closed the potential vulnerability and we will continue to closely monitor the situation. The security and privacy of our customers is our highest priority and we will do everything we can to continue to ensure a secure trading environment on our platforms."