TEL AVIV — The personal and financial details of millions of suppliers and users on the popular Alibaba shopping site have been exposed due to a security lapse potentially going back months, said Israeli hackers who discovered the breach over the weekend.
The lapse allowed anyone with basic computing skills to access both private user information and the account details of thousands of suppliers who sell goods through the Chinese-owned site. The Israeli security analysts who discovered the breach told BuzzFeed News that it took months for the site to respond to their report warning of a serious security lapse.
BuzzFeed News agreed to withhold details of the security breach until Alibaba was able to fix the loopholes on Wednesday morning.
"They aren't serious about their online security. They have patched-up the problems we showed them, but there are other parts of the site that are still wide-open," said Amitay Dan, an Israeli cyber-security analyst working at Cybermoon. He wrote about the breach he found on his blog. "It's obvious that they don't take the security seriously enough. It shouldn't take days to fix this."
Dan discovered the vulnerability, which would allow anyone to steal the personal information AliExpress or Alibaba users without knowing their account passwords, while Barak Tawily, an application security expert at AppSec Labs, discovered a separate issue that allowed hackers to easily access the accounts of tens of thousands of merchandisers who sold through Alibaba.
"By sending the merchandiser a message with a basic script you can easily get into their account. When the merchandiser opens the message, it runs the script and the user can easily go in and control the account," said Tawily, who recently posted about the issue on his blog. He said everything from company data to financial information was easily viewed. A person could easily go in, find a $1,000 item, change the price to $1 and purchase it for themselves.
"Everyone makes mistakes and has lapses, but in something this big as Alibaba you don't expect these kind of easily fixed security lapses to exist," said Tawily. "I told them almost two months ago, and it was only today that it got fixed."
It was unclear if and when any hackers took advantage of the security lapses. Tawily and Dan said it would have been easy for hackers to trove the millions of accounts unnoticed.
Dan discovered a separate flaw which exposers the companies selling through the site. The Chinese e-commerce site boasts that it has more than 300 million active users from 200 countries for its too-good-to-believe prices on bulk and wholesale goods. In September, Alibaba raised $25 billion in the New York Stock Exchange in the largest ever initial public offering.
Dan showed BuzzFeed News how a user could go into the section of the site that allowed them to change or edit their shipping address and contact information. At the end of the URL was a stream of numbers, indicating that individual's specific account; by simply going up or down a few numbers, he could view the accounts of any individual who had used the site.
The security breach has since been closed, and Alibaba said it was updating security across the site.
James Wilkinson, head of International Corporate Affairs for Alibaba, told BuzzFeed News that there had been several security problems, but that they had been fixed by the site.
The flaws Dan found were first reported by Israel's Channel 10 TV.
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Contact Sheera Frenkel at email@example.com.
Got a confidential tip? Submit it here.