Flaw in Alibaba's international e-commerce site put merchants at risk

10.12.2014
An Israeli security firm has found a security flaw in Alibaba Group's international marketplace that could have wreaked havoc for the scores of merchants on the site.

AliExpress is a growing English language e-commerce site from the Chinese company that serves various foreign markets including the U.S., Russia and Brazil. But in late October, a researcher from security firm AppSec Labs found a vulnerability that could allow an attacker to hijack a merchant's account.

The flaw would have let an attacker alter product prices, delete goods, and even close the merchant's shop on the site, said AppSec founder Erez Metula on Wednesday in an interview. "They could change the price from a couple hundred dollars to one dollar, and so the bad guy could buy the product cheap," he added.

AppSec immediately contacted Alibaba through emails and phone calls, but struggled to receive a proper response. Only last week, when AppSec spoke about the matter to local Israeli press did Alibaba begin to formally try and reach the security firm.

"I think maybe it had something to do with the language barrier," Metula said. "We don't understand Chinese, and maybe they didn't understand our email, which was in English."

Alibaba has already fixed the problem, and will continue to monitor the situation, the Chinese e-commerce giant said in an email.

"The security and privacy of our customers is our highest priority and we will do everything we can to continue to ensure a secure trading environment on our platforms," it added, without discussing why the company had delayed in responding to AppSec's findings a month earlier.

Although AliExpress isn't the main revenue generator for Alibaba, the site is growing on rising sales from international markets. AppSec Lab's own researcher decided to investigate the platform's security because he is a regular shopper on the site, Metula said.

Metula declined to go into the details of the vulnerability, but he said that the flaw was common enough that every security specialist would look for it when testing a website's security.

"This is a regular vulnerability that's on top of the list that every security tester would check for," he added.

AppSec Labs hasn't checked Alibaba's other e-commerce sites for vulnerabilities, but is working with the Chinese company to fix the problem at the AliExpress marketplace.

Michael Kan

Zur Startseite