The Hacker News reports:
A critical, but easily exploitable personal information disclosure vulnerability has been discovered in the widely popular online marketplace AliExpress website that affects its millions of users worldwide..
[…]
Amitay Dan, an Israeli application security researcher working at Cybermoon.cc, reported the vulnerability to The Hacker News after providing full disclosure of the flaw to the AliExpress team and Israeli media.
Read more on The Hacker News.
Update of Dec. 9: Darren Pauli reports:
Global threads bazaar AliExpress, an offshoot of global tat bazaar AliBaba, has patched a URL flaw that allowed attackers to harvest users’ personal details including names, shipping addresses and phone numbers.
The insecure direct object reference vulnerability reported by an unnamed researcher affected 7.7 million logged-in users for AliExpress, the online retail wing of AliBaba that’s the most visited e-commerce site in Russia.
Read more on The Register.