Woolies Patch Doesn't Check Out, Hackers Say

Australian retail giant Woolworths said this week it has corrected security flaws in the design of its online shopping site (HomeShop) which allowed potential hackers to hijack customer accounts and access personal information.

Company spokeswoman Prudence Anderson said the NSW Police computer fraud division notified Woolworths of the problem a month ago and it was fixed immediately.

However, an Australian computer security group known as Wiretapped, which initially identified the HomeShop vulnerabilities said the site is still not secure and needs a total redesign.

"The Woolworths site in the UK has similar problems.

"Although bypassing the security mechanisms currently in place at HomeShop is a relatively trivial accomplishment it is a common flaw in many Web-based applications," the spokesman said.

With an estimated 30,000 HomeShop accounts Wiretapped described the customer database as "gold" for direct marketing companies because it includes personal details such as name, address and contact information along with present and past shopping lists.

Anderson was quick to point out that credit card details could not be accessed as the customer's payments are made when goods are delivered.

Anderson said there is no record of customer accounts being hijacked or information accessed.

"A weakness was identified and fixed; a total redesign was not required and it didn't affect any transactions," she said without providing any further detail.

The HomeShop back end was developed by a Sydney software company, Somerset Systems, which claims the problem was resolved within 24 hours of notification.

Chris Stockton, director of Candle Corporation, Woolworths' consultancy and services division, said it was not a serious problem and vulnerabilities were fixed quickly. Stockton said that "while one could construe there are security issues" the reality is that core information cannot be accessed. However, he admitted there was "potential" for this to occur.

The HomeShop site has username/password combinations as security mechanisms, but according to Wiretapped these could be easily bypassed by a potential hijacker.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Candle IT & T RecruitmentNSW PoliceSomerset SystemsSydney SoftwareWiretappedWoolworths

Show Comments