John Leyden reports:
Retailer Asda dragged its heels for nearly two years before finally this week tackling a set of security vulnerabilities reported to it by a UK consultant. Asda has acknowledged the flaws – which Paul Moore, who discovered them, argues offer up an account hijack risk – but played down their significance.
Moore told El Reg potentially interlinked cross-site request forgery (CSRF/XSRF) and cross-site scripting (XSS) vulnerabilities have been present on the Asda Groceries site since at least March 2014, when he first reported it, if not before.
Moore provided a proof of concept in November 2015. The potential impact of the flaws is severe, according to Moore.
Read more on The Register.