A security hole in Alibaba’s international marketplace AliExpress could have let attackers hijack merchants’ online shops, an Israeli security research company said Wednesday (Dec. 10). Alibaba said it has now fixed the problem, Reuters reported.
AppSec Labs researchers said the weakness they found could allow attackers to change prices, alter shipment details and shut down an AliExpress shop, according to AppSec founder Erez Metula. Attackers could also see shoppers’ shipping addresses and details about when and where orders were placed. “We would describe this as critical as it can affect any merchant,” Metula said.
However, payment-card details were not exposed by the flaw, he said.
Metula said his company had been trying to notify Alibaba about the problem since October, but that the company was difficult to reach. Alibaba said the company acted quickly once “the appropriate teams were made aware of the issue,” and has closed the security hole. The Chinese ecommerce giant also said that, to the company’s knowledge, no user data was exposed and it hasn’t received reports or complaints from merchants or users that could have been related to these security flaws and none of its sites besides AliExpress were affected by the flaw.
But Alibaba also did not directly respond to questions about how long the problems existed or whether anyone had exploited the vulnerabilities before they were fixed.