Wish list app from Target springs a major personal data leak
The next time a friend or family member asks you to install a gift-registry app, remember this: the app is almost certainly soaking up lots of your personal details. In the case of one such app from retailing giant Target, it's more than happy to make those details public. Witness the following:
According to researchers from security firm Avast, the database storing the names, e-mail addresses, home addresses, phone numbers, and wish lists of Target customers is available to anyone who figures out the app's publicly available programming interface. In a blog post published Tuesday, they wrote:
If you created a Christmas wish list using the Target app, it might be accessible to more people than you want to actually receive gifts from. The Target app keeps a database of users’ wish lists, names, addresses, and e-mail addresses. But your closest family and friends may not be the only ones who know you want a new suitcase for your upcoming cruise!
To our surprise, we discovered that the Target app’s Application Program Interface (API) is easily accessible over the Internet. An API is a set of conditions where if you ask a question it sends the answer. Also, the Target API does not require any authentication. The only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON file.
The JSON file we requested from Target’s API contained interesting data, like users’ names, e-mail addresses, shipping addresses, phone numbers, the type of registries, and the items on the registries. We did not store any personal information, but we did aggregate data from 5,000 inputs, enough for statistical analysis.
Officials for Target weren't immediately available for comment. This post will be updated if they respond later.