Target may not be on Santa's "nice list" after its latest mishap, as its mobile wish list app just spilled the personal details of users.
With the holidays rapidly approaching, many consumers may resort to gift-registry apps to keep track of the items they'd like to purchase this holiday season. Such apps typically require users to submit quite a few personal details, and that information is not always as well-guarded as it should be.
As it turns out, people who used Target's wish list app could be seriously exposed, as the retailer made that information available to anyone who can access its application programming interface (API).
Security firm Adobe was the one to discover the mishap and reported on the matter on Tuesday, Dec. 15.
"If you created a Christmas wish list using the Target app, it might be accessible to more people than you want to actually receive gifts from," Avast warns. "The Target app keeps a database of users' wish lists, names, addresses, and e-mail addresses. But your closest family and friends may not be the only ones who know you want a new suitcase for your upcoming cruise!"
Avast further explains that Target's API is easily accessible online, which means that hackers could gain access to users' personal details. The API consists of a set of conditions and doesn't require authentication. As the security researchers point out, all one needs to do to gain access to all of that data is figure out how the app generates the user ID.
"Once you have that figured out, all the data is served to you on a silver platter in a JSON file."
Avast requested a JSON file containing a range of data from Target's API. That data included users' names and phone numbers, emails and shipping addresses, as well as the type of registries and the items on them. The security firm notes that it managed to pull data from 5,000 inputs so it could make a statistical analysis, but it didn't store any personal info.
Shortly after Avast notified Target of the mishap, the retailer said it suspended certain elements of the app while developers look into the matter and come up with a fix. For now, however, you might want to steer clear from the Target wish list app.