Researchers at Avast say they were able to call up personal information from Target’s mobile app wish-list feature.

John Greim/Loop Images/Corbis

Hackers can access your personal information from Target — again — thanks to a flaw in the retailer’s mobile app.

In a blog post Tuesday, researchers from security company Avast revealed the flaw, which allows unauthorized access to customers’ addresses, phone numbers and other personal information from wish lists created with the Target app. The only merry tidings are that credit card numbers don’t appear to be stored with the wish lists, so financial information isn’t vulnerable.

If this sounds familiar, it’s because last year we learned that hackers breached Target’s systems and stole the credit card information of up to 70 million customers. Though hackers have the opportunity to steal the wish list information right now, Avast researchers have found only that it would be possible. It’s unknown whether the security hole has been exploited.

Target didn’t respond to a request for comment on the problem with its app. The wish list information was still vulnerable to hacking as of Tuesday afternoon, according to an Avast representative who added that the company hadn’t notified Target of the problem. The representative didn’t immediately respond to a follow-up question about why Avast hadn’t informed the retailer of the flaw.

Avast said Tuesday it discovered the flaw while examining the security and privacy levels of various mobile buying apps. During their examination, researchers looked at what permissions were granted users, in addition to trying to hack the apps.

As if shopping on mobile phones wasn’t vexing enough, the discovery shows that some major shopping apps don’t have security or privacy nailed down.

On the privacy side, researchers at Avast singled out the Walgreens shopping app for requesting user permissions that had nothing to do with the app’s purpose. That means it could be collecting information you never meant to share with your friendly neighborhood drugstore.

Walgreens said it didn’t have an immediate comment on the types of permissions its app seeks, which include access to a phone’s bluetooth connection as well as the camera and microphone.

However, Avast researchers said this level of permissions wasn’t half bad.

“In fact, compared to other apps out there they are decent,” wrote Avast researcher Filip Chytry.

Well, fa la la la la.


Target back on naughty list with another security vulnerability – CNET