Tech security firm says it's easy to hack Target gift registry apps

Target responds by disabling app elements as it seeks a fix.

December 16, 2015 at 3:32PM
(Evan Ramstad/The Minnesota Star Tribune)

Beware if you're making a wish list using the apps for Target or its gift registries. Your list, along with personal information, could be accessed by hackers, according to an international security firm.

Unlike the 2013 Target data breach, customer financial information is not compromised via the wish list or registry apps, according to Patrick Dorn, a spokesman for Avast, the security firm that used the holiday season to examine some popular shopping apps. Researchers there wanted to determine what data was being collected and how secure it was.

Avast researchers found that the Target app keeps a database of users' wish lists, names, addresses and e-mail addresses. That information could be accessed because the Target app's Application Program Interface (API) is easily accessible over the Internet by those with the know-how, according to Filip Chytry, a researcher with Avast, one of the world's largest anti-virus companies.

Target took Avast's assertions seriously, issuing a statement late Tuesday that said, "Earlier this evening, it was brought to our attention that there may be a potential issue with our guest registry platforms. Out of an abundance of caution, we have disabled elements of our wish list app and gift registry while we assess. We apologize for any challenges guests may be facing while trying to access their registry. Our teams are working diligently overnight to resume full functionality."

The revelation about the Target app comes on the heels of the massive data breach that allowed cyberthieves access to personal data of 40 million customers. Earlier this month, the Minneapolis retailer agreed to settle a class-action lawsuit brought by financial institutions for $39 million. It was the last major litigation tied to the breach.

Avast security researchers randomly chose apps from Home Depot, J.C. Penney, Target, Macy's, Safeway, Walgreens and Wal-Mart in an effort to see what retailers knew about their customers, based on the data they collected. Avast focused on Target and Walgreens in the company blog.

Accessing customer information via the gift registry is done through the app's API, which is a set of conditions where if you ask a question, it sends the answer, Chytry explained in the Avast blog. The Target API doesn't require any authentication, he said.

"The only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated," Chytry wrote. "Once you have that figured out, all the data is served to you on a silver platter. …" The information Avast was able to get included names, e-mails, shipping addresses, phone numbers, the type of registries and the items on the registries.

"You should be able to get your list of gifts out to a specific group of people who you want to see it," Avast's Dorn said. "But all your personal information shouldn't be accessible to anyone who wants to go in and hack in there. … I do feel uncomfortable when I find that my information can be easily accessible to somebody. … It's kind of building a profile on you."

When examining the apps for various retailers, Avast researchers pointed the finger at the Walgreens app for requesting permissions that are "completely unnecessary" for its app to function. It also requests more permissions than the other apps, with Home Depot's app coming in second.

"The Walgreens app has permission to change your audio settings, pair with Bluetooth devices, control your flashlight, and run at start-up — completely unnecessary for the app to function properly," Chytry wrote.

Mary Lynn Smith • 612-673-4788

about the writer

about the writer

Mary Lynn Smith

Reporter

Mary Lynn Smith is a general assignment reporter for the Star Tribune. She previously covered St. Paul City Hall and Ramsey County. Before that, she worked in Duluth where she covered local and state government and business. She frequently has written about the outdoors.

See More

More from Local

card image

Carlton County, just southwest of Duluth, hadn’t voted for a Republican presidential candidate since Herbert Hoover in 1928. Trump snapped that nearly centurylong streak earlier this month.

card image
card image