Alibaba security flaws exposed data on millions of users, analysts say

Alibaba says security holes discovered by cyber security experts have been closed

Security flaws on sites operated by e-commerce giant Alibaba may have exposed the personal information of millions of users and merchants, two Israeli cyber security analysts say.

Two separate vulnerabilities, discovered by two different security analysts, exposed personal details such as names and shipping addresses and left merchants’ accounts open to easy attacks from hackers, who could have stolen financial information or hijacked merchant accounts, the analysts say.

Amitay Dan, founder of the Israeli cyber security firm Cybermoon, says he was trying to purchase some lights for his art exhibit on AliExpress, a website owned by the Alibaba Group, when he discovered one of the problems.

When Dan tried to modify his shipping address, the address of another user popped up, and he quickly realized that millions of other users of the Alibaba Group websites were exposed too, he told The Times Wednesday. He wrote about the issue on his blog Monday.

Another Israeli security firm told the Associated Press that it had found a flaw that could have allowed hackers to access and take over merchant accounts. Erez Metula, founder of cyber security firm AppSec Labs, said 21-year-old employee Barak Tawily discovered the lapse, which could have allowed a hacker to change the price of merchants’ goods, change shipping addresses and see customer purchases.

“If I want to buy a $600 phone, I can change the price to a dollar and buy it,” Metula told the AP.

It's still unclear whether any hackers were able to exploit the security holes, but Dan told The Times the flaws he and Tawily discovered could have easily been used to scrub whole databases of user information.

In a statement Wednesday, Alibaba spokeswoman Molly Morgan called the flaws a “potential vulnerability” and said the company had taken “immediate steps to assess and remedy the situation.”

The breach has since been closed, the company said. “We will continue to closely monitor the situation. The security and privacy of our customers is our highest priority and we will do everything we can to continue to ensure a secure trading environment on our platforms,” the statement said.

Alibaba operates several online shopping sites that link buyers and sellers and is often compared with EBay. It also has interests in banking, maps, cloud computing and TV and film production. The company made its debut on the New York Stock Exchange in September, raising $25 billion in the largest IPO in history.

But Dan says Chinese firms like Alibaba will have to get more serious about cyber security if they want to work with Western customers. “I think that’s a lesson that will be learned,” he said.

The two breaches were first reported by Israel’s Channel 10 TV.

For more breaking news, follow me @cmaiduc

Copyright © 2016, Los Angeles Times


11:14 a.m.: This story has been updated to say that it's still unclear whether hackers have breached Alibaba's sites.

This story was originally published at 10:59 a.m.