Just two weeks after Target agreed to a $39 million settlement for a 2013 data breach, the retailer faces a data leak of personal information from the Target app. The leak, which includes personal data (e.g. names, addresses, email addresses, etc.), stems from a major API weakness.
The Target app API requires no authentication, and a security firm had little trouble pulling personal data from the app. Avast, the security firm that uncovered the weakness, initially sought to determine the information a number of retailers retrieved from customers via retailer apps (i.e. Home Depot, J.C. Penney, Target, Macy's Safeway, Walgreens, and Walmart). In the end, Avast found that the wishlist functionality within the Target app keeps a database of wishlists, and the names, addresses, email addresses and other information associated with such lists. Because the API requires no authentication, the only required information to retrieve personal data from the Target app is the user ID. Once Avast (or any run of the mill hacker) determines how the user ID is generated, the API returns personal data in a straightforward JSON file.
The JSON file returned includes user names, email addresses, shipping addresses, phone number, registry types, and items on such registries. Accordingly, Target wishlists may very well be shared with many parties outside of friends and family members who the Target app user desires to share the list with. Avast aggregated data from 5,000 inputs to run statistical analysis, but did not store any personal information. Target has not yet commented on the discovery, but keep any eye out for the company's reaction.