Instant Analysis: Target Corporation's App Has a Major Security Flaw

What happened?

Cybersecurity and antivirus software company Avast declared the mobile device wishlist app from retailer Target contained a major security flaw that easily exposed the personal information of users to hackers or anyone on the Web who cared to take a look.

Target immediately shut down parts of the app, so that it could fix the vulnerability, but as this news comes to light at the height of the Christmas shopping season, it couldn't have come at a worse time for the retailer.

Does it matter?

Avast randomly examined a number of retailers' mobile shopping apps to see what kind of information they were collecting -- stores included Home Depot , J.C. Penney , Macy's , Safeway , Walgreen Boots Alliance , and Wal-Mart .

While some retailers such as Walgreen and Home Depot request an unnecessary amount of permissions from users -- giving the apps broad access to personal info like contact phone lists, photos, and location -- the Target app was found to provide anyone with a mind to search shockingly easy access to this data.

As Avast's cybersecurity expert Flip Chytry wrote in a company blog post , "The only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON file." A JSON file is a format to make the storage and exchange of data easier.

He also noted there was no requirement to authenticate the user, and Avast was able to quickly gain entry to personal data that should have been hidden. While Target apologized for the breach, as it was the subject of a massive attack two years ago that severely damaged its reputation, and from which it has only begun to recover this year, the development is troubling.

Home Depot was also the victim of a data breach that was larger in scale than Target's. While it didn't suffer the same sort of blowback from customers the mass merchandiser did, knowing that it's unnecessarily collecting a lot of information about its app users may invite greater scrutiny.

Similarly, Walgreen was the biggest offender in data collection according to Avast, and the cybersecurity firm recommends users be aware of what permissions an app is seeking and tightly control those that they authorize.

For Target, the wishlist app security flaw may raise unpleasant memories as it determines the extent of the damage.

The next billion-dollar iSecret

The world's biggest tech company forgot to show you something at its recent event, but a few Wall Street analysts and the Fool didn't miss a beat: There's a small company that's powering their brand-new gadgets and the coming revolution in technology. And we think its stock price has nearly unlimited room to run for early in-the-know investors! To be one of them, just click here .

The article Instant Analysis: Target Corporation's App Has a Major Security Flaw originally appeared on

Rich Duprey owns shares of J.C. Penney Company. The Motley Fool recommends Home Depot. Try any of our Foolish newsletter services free for 30 days . We Fools may not all hold the same opinions, but we all believe that considering a diverse range of insights makes us better investors. The Motley Fool has a disclosure policy .

Copyright © 1995 - 2015 The Motley Fool, LLC. All rights reserved. The Motley Fool has a disclosure policy .

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.

In This Story


Other Topics


Latest Markets Videos

    The Motley Fool

    Founded in 1993 in Alexandria, VA., by brothers David and Tom Gardner, The Motley Fool is a multimedia financial-services company dedicated to building the world's greatest investment community. Reaching millions of people each month through its website, books, newspaper column, radio show, television appearances, and subscription newsletter services, The Motley Fool champions shareholder values and advocates tirelessly for the individual investor. The company's name was taken from Shakespeare, whose wise fools both instructed and amused, and could speak the truth to the king -- without getting their heads lopped off.

    Learn More