Instant Analysis: Target Corporation's App Has a Major Security Flaw

What happened?
Cybersecurity and antivirus software company Avast declared the mobile device wishlist app from retailer Target (TGT -0.70%) contained a major security flaw that easily exposed the personal information of users to hackers or anyone on the Web who cared to take a look.

Target immediately shut down parts of the app, so that it could fix the vulnerability, but as this news comes to light at the height of the Christmas shopping season, it couldn't have come at a worse time for the retailer.

Does it matter?
Avast randomly examined a number of retailers' mobile shopping apps to see what kind of information they were collecting -- stores included Home Depot (HD -1.77%), J.C. Penney, Macy's, Safeway, Walgreen Boots Alliance (WBA -1.33%), and Wal-Mart.

While some retailers such as Walgreen and Home Depot request an unnecessary amount of permissions from users -- giving the apps broad access to personal info like contact phone lists, photos, and location -- the Target app was found to provide anyone with a mind to search shockingly easy access to this data.

As Avast's cybersecurity expert Flip Chytry wrote in a company blog post, "The only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON file." A JSON file is a format to make the storage and exchange of data easier.

He also noted there was no requirement to authenticate the user, and Avast was able to quickly gain entry to personal data that should have been hidden. While Target apologized for the breach, as it was the subject of a massive attack two years ago that severely damaged its reputation, and from which it has only begun to recover this year, the development is troubling.

Home Depot was also the victim of a data breach that was larger in scale than Target's. While it didn't suffer the same sort of blowback from customers the mass merchandiser did, knowing that it's unnecessarily collecting a lot of information about its app users may invite greater scrutiny.

Similarly, Walgreen was the biggest offender in data collection according to Avast, and the cybersecurity firm recommends users be aware of what permissions an app is seeking and tightly control those that they authorize.

For Target, the wishlist app security flaw may raise unpleasant memories as it determines the extent of the damage.