Menu
Flaw in Alibaba's international e-commerce site put merchants at risk

Flaw in Alibaba's international e-commerce site put merchants at risk

Alibaba Group has said it has fixed the problem on its AliExpress site

Alibaba Group's AliExpress site.

Alibaba Group's AliExpress site.

An Israeli security firm has found a security flaw in Alibaba Group's international marketplace that could have wreaked havoc for the scores of merchants on the site.

AliExpress is a growing English language e-commerce site from the Chinese company that serves various foreign markets including the U.S., Russia and Brazil. But in late October, a researcher from security firm AppSec Labs found a vulnerability that could allow an attacker to hijack a merchant's account.

The flaw would have let an attacker alter product prices, delete goods, and even close the merchant's shop on the site, said AppSec founder Erez Metula on Wednesday in an interview. "They could change the price from a couple hundred dollars to one dollar, and so the bad guy could buy the product cheap," he added.

AppSec immediately contacted Alibaba through emails and phone calls, but struggled to receive a proper response. Only last week, when AppSec spoke about the matter to local Israeli press did Alibaba begin to formally try and reach the security firm.

"I think maybe it had something to do with the language barrier," Metula said. "We don't understand Chinese, and maybe they didn't understand our email, which was in English."

Alibaba has already fixed the problem, and will continue to monitor the situation, the Chinese e-commerce giant said in an email.

"The security and privacy of our customers is our highest priority and we will do everything we can to continue to ensure a secure trading environment on our platforms," it added, without discussing why the company had delayed in responding to AppSec's findings a month earlier.

Although AliExpress isn't the main revenue generator for Alibaba, the site is growing on rising sales from international markets. AppSec Lab's own researcher decided to investigate the platform's security because he is a regular shopper on the site, Metula said.

Metula declined to go into the details of the vulnerability, but he said that the flaw was common enough that every security specialist would look for it when testing a website's security.

"This is a regular vulnerability that's on top of the list that every security tester would check for," he added.

AppSec Labs hasn't checked Alibaba's other e-commerce sites for vulnerabilities, but is working with the Chinese company to fix the problem at the AliExpress marketplace.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags e-commerceAlibaba GroupsecurityExploits / vulnerabilitiesinternet

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments