A customer discovered that the website of Walmart Canada has a vulnerability that allows anyone to access the personal shopping information of other consumers.
The information exposed by the exploit on Walmart.ca includes full customer names, billing addresses, and whether an order was being delivered or for in-store pickup. The vulnerability also allows users to view if a customer paid using Visa, Mastercard, Amex, or PayPal.
The customer who stumbled upon the exploit, Sanjay Bhatia, attempted to contact Walmart Canada to raise the issue but was unsuccessful. He then decided to reach out to CTV News.
“[It’s a] huge exploit. And I’m just flabbergasted. I’m actually pissed off because, you know, my stuff was on there too,” Bhatia, who works in IT, told CTV News.
According to Bhatia, he was able to access the customer and order information through two specific web pages on Walmart Canada’s website when logged on to his own account. CTV News was able to replicate the exploit and confirm Bhatia’s claims.
Walmart Canada has since responded to the issue.
“We take customer privacy very seriously and have numerous security protocols in place to protect it,” a spokesperson for the retailer said in an email statement.
“As soon as this came to our attention today, and out of an abundance of caution, we immediately disabled the webpage where guest customers could access their order tracking details. We are looking into the matter further.”
The two web pages now redirect to a “Contact Us” page.
Yuan Stevens – policy lead on technology, cybersecurity and democracy at the Ryerson Leadership Lab and the Cybersecure Policy Exchange – told CTV News that the data exposure vulnerability is not exactly a rare occurrence. She explained that the specific web page exploit was even on the 2017 top 10 list of common website security risks of the Open Web Application Security Project.
