Check Point Researchers recently identified a vulnerability in AliExpress portal that could potentially lead to stolen sensitive information, primarily credit card details. AliExpress is a widely popular shopping website that caters to around 100 million customers. Users can find almost anything on the site, and their coupons attract both new and returning customers.
It is not uncommon to see AliExpress asking users to put in their credit card details for a faster and smoother check out, and they often give out coupons in exchange. Researchers have uncovered a way hackers could theoretically take advantage of that, and users would unknowingly provide their banking information to malicious parties.
How the attack could work
Potential attackers would send out emails with links to a compromised AliExpress page with a malicious JavaScript code. Theoretically, if someone clicked on the link and entered the page, the malicious code would be executed in the user’s browser, which would allow it to bypass AliExpress’s protection against cross-site scripting attacks.
Once on the site, a pop-up would appear, identical to the legitimate AliExpress coupon pop-up, claiming that you can get a coupon if you put in your credit card details. If you did put in the information, instead of a faster and smoother check out, you would be providing attackers with your banking information.
“The attackers could then present a pop-up coupon offer on the home screen – running under an AliExpress owned subdomain – asking customers to provide credit card details to allow for a smoother and more efficient shopping experience. The attackers, however, are solely controlling this pop-up window with all credit card details entered sent directly to them rather than the shopping site,” security researchers Dikla Barda, Roman Zaikin and Oded Vanunu report.
Although this kind of attack is only theoretical, it is likely that it would prove to be successful. This is largely due to the fact that AliExpress does show similar pop-ups, where users are asked to put in their card details to ensure a better shopping experience, in addition to coupons. So if users got the malicious pop-ups, even the most security-cautious ones might not suspect something is wrong.
A full explanation on how researchers discovered the vulnerability can be found here.
AliExpress fixed the vulnerability
The researchers who discovered the flaw reported it to AliExpress, who immediately fixed it within two days.
“After discovering the vulnerability, Check Point Researchers immediately informed AliExpress (9th Oct) who, due to taking cybersecurity very seriously, took swift action and fixed it within two days of notification (Oct 11th). This is highly commendable and sets an example to other online retailers.”